[HackerNotes Ep. 170] Live From South Korea : AI Exfiltration, SDK Hacking, and the Art of Self-Advocacy

Hacker TL;DR

• AI exfiltration through binary oracles and HTML injection represents a new, high-impact vulnerability class in AI-integrated products

• SDK code review with Claude Code eliminates the friction of tracing user input through REST API wrappers to find path traversals

• Auth grant scope expansion is a consistently overlooked attack surface: the OAuth consent screen may not reflect actual permissions

• Advocating for your findings at live events is a skill: prepare a hit list, get verbal commitments, and document everything on the report

We do subs at $25, $10, and $5, premium subscribers get access to:

– Hackalongs: live bug bounty hacking on real programs, VODs available
– Live data streams, exploits, tools, scripts & un-redacted bug reports

You can also find some hacker swag here.

Back-to-Back in South Korea

Justin and Joseph recorded this episode while walking back to their hotel rooms after the Google LHE. The Google event was smaller than usual, around 15 to 20 invited researchers, but the quality of findings was notably higher than previous iterations.

What stood out was the maturity of AI vulnerability research. This was not researchers forcing social engineering edge cases through chatbots. These were technically rigorous exploitation chains with demonstrated, consistent impact.

AI Exfiltration: A New Vulnerability Class

Binary Oracle Attacks

Several researchers demonstrated data exfiltration through binary channels in AI products. The technique leverages the ability to ask an AI system yes-or-no questions, extracting one bit of information per query. By iterating through these boolean responses, an attacker can reconstruct sensitive data bit by bit.

The impact scales with what the AI has access to. In Google's ecosystem, that often means the target's entire document library.

When assessing AI features, map what data the AI agent can access. Even a single-bit exfiltration channel becomes critical when the backend has access to sensitive user data.

HTML Injection With Amplified Impact

Two to three show-and-tell presentations revealed HTML injection yielding far more impact than traditionally expected. In conventional contexts, HTML injection rarely escalates beyond low severity. But in AI chatbots that render link previews, images, and formatted content, and that have been granted access to user data, the injection surface becomes a viable exfiltration path.

The pattern repeats across Google's AI chat features: a new rendering capability ships (preview cards, image rendering, link unfurling), and suddenly, what was previously inert HTML becomes an active attack vector.

Tracking Features as Attack Surface

A consistent takeaway from this event: the researchers found that the best bugs were the ones tracking new feature releases. Google ships AI capabilities at a rapid pace, and each new feature introduces:

• Cross-product pivot points where a feature in one product affects another

• New rendering surfaces that may not have undergone the same security review as core functionality

• Regression opportunities where previously patched vulnerabilities reappear in new contexts

So set up regression testing for previously reported bugs. With the velocity of AI feature development, old vulnerabilities resurface regularly, and these are well-compensated findings.

The Slop Report Problem

Google's triage team shared an observation: AI-generated vulnerability reports are degrading the signal-to-noise ratio. The consequences are significant:

• Triagers close reports they cannot parse due to verbosity and lack of clarity

• Valid bugs get buried inside AI-written slop, discovered only when a cleaner duplicate arrives later

• Reports that do not demonstrate understanding of the product (confusing discovery docs with secrets, treating public API keys as vulnerabilities) erode trust

How to Stand Out

Justin has refined a VRP reporting agent that produces concise output, though even after extensive prompt engineering, manual editing remains necessary. The key differentiator, however, is POC video recording.

The workflow:

1. The moment a potential vulnerability surfaces, start screen recording

2. Walk through the exploitation live, narrating the steps

3. Save the recording immediately: AI behavior is non-deterministic, so capturing it on first trigger matters

4. Write the formal report based on the video

A POC video cannot be AI-forged, which makes it a trust signal for triagers operating in a sea of generated content.

SDK Security: Path Traversals via Claude Code

Moving away from AI-specific findings, Justin highlighted a powerful technique: auditing SDKs for path traversal and injection vulnerabilities using Claude Code.

The underlying pattern is straightforward:

1. SDKs wrap REST APIs

2. Function parameters like userId map directly to URL path segments

3. Without proper sanitization, an attacker can manipulate these parameters to traverse endpoints

getUser(userId) → GET /api/users/{userId}
getUser("../organizations/target") → GET /api/organizations/target
getUser("../../admin/delete") → potential destructive action

Methodology with Claude Code:

• Feed the SDK source code into a Claude Code session

• Prime it to identify all user-controlled input flowing into HTTP request construction

• Trace each parameter through the wrapper to the underlying REST call

• Identify missing sanitization at each boundary

What required manual code review at past events is now a focused Claude Code session. Someone dominated a live hacking event years ago by finding traversals in SDKs through manual review. The same approach is now dramatically more accessible.

Auth Grant Scope Expansion

You can find a bunch of different bugs on Oauth scope. The pattern:

• An API requires an OAuth-style auth grant with defined scopes

• The user consents to specific permissions via checkboxes

• The resulting grant actually authorizes broader access than what was displayed

• MCP servers and third-party integrations inherit these expanded permissions

This remains an under-explored attack surface. Most researchers click through OAuth consent screens without auditing the actual scope of the resulting token.

For any target that exposes APIs behind OAuth grants, compare the displayed consent scopes against the actual token permissions.

Protobuf Hacking With Protoscope

Google's extensive use of protobuf creates friction for security researchers, particularly when dealing with binary-encoded payloads. Justin recommends protoscope as the best CLI solution.

How it works:

# Define fields with numbers and types
2: {"some string value"}
4: {3: 6}

The tool operates via stdin/stdout, making it composable with existing workflows:

Workflow with Caido:

1. Base64-encode the protobuf payload

2. Import into Caido

3. Use the encode/decode workflow to avoid stray byte issues

4. Modify fields, re-encode, and replay

WebSocket Attack Surface

The HackerOne event featured heavy WebSocket usage, highlighting an under-tested attack surface:

• WebSocket security is less understood and less assessed than traditional HTTP

• Caido lacked robust WebSocket support at the time (a new WebSocket repeater is shipping soon, with Justin contributing to the interface design)

WebSocket-heavy applications represent a meaningful opportunity for researchers willing to invest in tooling and methodology.

Webhook Security and Friction Elimination

• Webhooks are public endpoints by design. They exist to process third-party data

• Key questions: Where does ingested data flow? How is authentication validated? Is cryptographic verification implemented correctly?

• Most researchers encounter signature validation (SHA-256 HMAC, JWT verification) and disengage due to friction

This is where Claude Code fundamentally changes the calculus. Cryptographic operations that previously represented a hard barrier like re-signing payloads, computing HMACs, bit-flipping attacks on hash extensions, become trivial to implement in a Claude Code session.

The implication is clear: any attack surface previously gated by cryptographic complexity deserves a second look.

Human Tokens and Self-Advocacy

NetworkChuck introduced the phrase "don't waste your human tokens" in a group chat, applying AI terminology to human effort allocation. Joseph expanded the concept to "mouth tokens", specifically, the skill of advocating for your findings at live hacking events.

The Advocacy Playbook

1. Know what deserves a fight.
Not every triage disagreement warrants pushback. Burning credibility on minor severity disputes costs more than the bounty delta.

2. Prepare a hit list.
Before engaging with triagers or program representatives, have a clear elevator pitch for each report. Know the impact, the reproduction path, and the severity argument.

3. Walk them through it live.
Approach triagers directly: "You are going to triage this, let me walk you through it quickly." A live demonstration is more compelling than a written report.

4. Get verbal commitment.
Summarize at the end of each discussion: "So we agree this is a High?" Many researchers skip this step, leaving severity decisions ambiguous.

5. Document immediately.
Comment on the report on what was discussed and agreed upon. This creates an official record and signals professionalism.

The researchers who consistently earn top payouts at live events are not always the ones finding the most bugs; they are the ones who articulate impact effectively and follow through on every report.

Resources

• Protoscope - CLI for binary protobuf encoding/decoding

• Google VRP - Google's bug bounty program

That's it for the week, keep hacking!