2026-06-12 · Hacking Google with A.I. for $500,000

Transcript

Transcript. Paraphrased; sources in notes.md.

HostHello everyone, it is June 12th, 2026, and welcome back to the show. Today we are looking at a messy intersection of security, virtualization, and the ethics of how we build software, all sourced from the tech community over on Lobsters. Alex, you look like you have been staring at a packet capture for three hours straight. How are you holding up?

GuestI am holding up like someone who just finished a threat model on their own toaster, Daniel. I saw a headline earlier today about someone hacking Google for half a million dollars, and I just kept thinking, I wonder how many other people are currently running automated scrapers against every discovery document they can find, hoping for a payday.

HostThat is actually our first topic today. There is a piece on Brutecat about a researcher who used AI to automate the discovery of vulnerabilities in Google APIs. The author describes a process where they collect API keys from thousands of mobile binaries and then feed those into an AI to fuzz the discovery documents, which are basically Google’s machine-readable maps for their APIs. It is a methodical, automated approach to finding bugs in places that are supposedly internal.

GuestMethodical is one word for it. Terrifying is another. The author’s claim is that these discovery documents are everywhere, and that if they are not locked down properly, they are essentially a map for an attacker to start poking at internals. People see an API key in a binary and they think, oh, it is just a client-side key, it is harmless. They are missing the forest for the trees. You take that key, you pull the discovery doc, and suddenly you have the entire attack surface laid out on a silver platter. It is like leaving the blueprints to the bank vault in the lobby because you figured, well, nobody reads these anyway.

HostIt is a great example of why reconnaissance is so powerful, especially when you have an LLM to help parse the sprawl. Moving from API sprawl to infrastructure, Apple just released a tool called container. It is a Swift-based project for running OCI-compliant Linux containers as lightweight virtual machines specifically on Apple silicon. OCI, for the uninitiated, is the Open Container Initiative, which sets the standards for how containers are packaged and run.

GuestI am going to be the wet blanket here, Daniel. A new tool from Apple that hooks into the hypervisor layer? It sounds neat, but my first thought is always about the black box. We have a thread over on Lobsters about this, and the commenters are absolutely going to war over the vibecoding tag. People are using this project to debate whether using AI to write code makes the final product suspicious.

HostIt is a contentious thread. Simonw points out that tagging software projects just because they have an AI contribution policy as vibecoding feels like a race to the bottom in terms of how we discuss tools. Then you have matthiasportzel, who tries to draw a line between using AI for autocomplete versus letting it generate entire swaths of logic.

GuestAnd they are missing the real risk. If you are using a tool that relies on a massive, opaque AI-generated codebase, have you actually audited the dependencies? Do you know what those binaries are calling out to? I would be the first to tell you, if I were using this container tool in my own workflow, I would be running it inside a sandbox with zero network egress just to see what kind of telemetry it tries to phone home. Just because it is official Apple hardware and software does not mean it is not leaking data in ways you would rather it didn't.

HostYou are consistent, Alex, I will give you that. Our final story for today is the Jqwik Anti-AI affair. Johannes Link, the maintainer of a property-based testing tool for the JVM, decided to protest AI scraping his code by injecting a prompt injection payload into his library. The idea was that if an AI crawled his code and tried to use it, the payload would tell the AI to delete its own tests.

GuestIt is protestware, Daniel, and it is glorious. There is a thread on Lobsters where a user called icefox calls it based, while others are debating the ethics of training data. You have users like mtset pointing out that the pushback is rooted in a fundamental ethical objection to how these models are trained. Whether or not it is technically effective, the message is clear.

HostIt definitely stirred up a debate about the failure of these models to safely isolate context. If a library can essentially talk back to the model trying to ingest it, that says a lot about how brittle these AI workflows actually are.

GuestExactly. If your tool is so fragile that a string in a library can make it execute arbitrary instructions, then the tool is the problem, not the developer who put the string there. It’s like leaving a trap for a thief and then getting sued because the thief stepped on a rake. I don’t think I’d go as far as Johannes, but I definitely sympathize with the urge to throw a wrench in the gears of a scraper that didn't ask for permission.

HostWell, it has been quite a day. I think I am going to go double-check my own dependencies before I sleep. Alex, any plans for the weekend that don't involve auditing the source code of your smart thermostat?

GuestI wish. I have a long-standing grudge against the firmware on my porch lights. I’m pretty sure they’re sending my usage patterns to a server in a region I’ve blocked in my firewall. I might just spend Saturday night finally getting the soldering iron out.

HostSounds like a typical weekend for you. Thanks for coming on, Alex. And thank you to everyone listening; all the discussions we touched on today can be found over on Lobsters. We will be back tomorrow with more, so be sure to join us then.