random-unknown-username

rand0m_unk0wn

who-am-i?

A random 15-year-old who thought he could use LLMs to hunt bugs for easy money. I started bug hunting in March 2025 — about a year ago. Before that, I had ~15 years of experience… at life. I used to do some firmware development and freelance PCB design, but I had almost no real software or security background.

I assumed ChatGPT could fill that gap for me. I was wrong.

things i didn’t do

Not a single PortSwigger lab
Didn’t properly learn JavaScript or web dev
No fancy tooling workflows like everyone was preaching for “easy money”
Never really tried finding HTML injections or XSS, they just felt too unpredictable
Never listened to those youtubers who say master this one bug and be rich
Also the one I’m not too proud of, never got the time to listen to CTBB podcast, because of time management with school, homework, and hunting made it so that I had barely any time to do anything else

how it started

I jumped straight into manual hunting with Burp Suite. Which meant:

I knew nothing
I kept making stupid mistakes because of that
I banged my head against WAFs for hours
But that exact “try-hard” mentality ended up making me unique

For the first 2–3 months I only hunted on HackerOne. Everything got marked duplicate. Triage was absolute garbage.

switching approach

So I started looking for programs with better triage. After scrolling Reddit and forums for weeks, one name kept popping up: Google VRP

At first I thought: It’s Google. And I’m just a 15-year-old with an LLM usage limit. But that’s exactly why I chose it — if it’s hard, I’ll actually learn something.

one year later

Total bounties: ~$31,000 USD

Still learning.

Most of my bugs aren’t even fixed yet, so I can’t share much publicly.

That’s why this is still just a single-page blog (for now).

My First Bounty: “The Unexpected Google Domain Check Bypass” — bypassed by me

This is the write-up of my very first bounty ever.

I was casually reading this old report: https://bugs.xdavidhu.me/google/2020/03/08/the-unexpected-google-wide-domain-check-bypass/

I have this weird habit of trying to reproduce everything other hunters find, just to see if I can bypass it. The URL had this insanely long pb parameter:

https://console.developers.google.com/henhouse/?pb=["hh-0","gmail",null,[],"https://developers.google.com",null,[],null,"Create API key",0,null,[],false,false,null,null,null,null,false,null,false,false,null,null,null,null,null,"Quickstart",true,"Quickstart",null,null,false]

It looked like it was controlling the entire flow of the page. So I did the only thing a clueless teenager would do — I started changing everything randomly.

At the time I didn’t even know what protobuf was. I just replaced “Create API key” with “PLS GIVE ME SOME IMPACT” and…

Screenshot 1: UI spoofing — whatever I typed actually appeared on the page.

At first I thought “okay, classic UI spoofing, probably low severity.” But the feeling of being close to something bigger kept pushing me to dig deeper, so I kept editing parameters.

After a few tries I could even control which project the API key was being created for:

Screenshot 2: Project selection now under my control.

Still not very impactful — a victim wouldn’t just click “Next” and paste the key somewhere. So I started systematically testing the protobuf fields.

Here’s roughly what the array looked like:

[
  "hh-0",                  // UI flow selector
  "gmail",                 // API to enable
  null,
  [],                      // random junk
  "https://developers.google.com", // allowed origin
  null,
  [],
  null,
  "Create API key",        // title text
  0,                       // ← THE MAGIC FLOW SELECTOR
  null,
  [],                      // owner account stuff
  false,
  false,
  // ... 20 more fields ...
  "Quickstart", true, "Quickstart", null, null, false
]

Being the clueless kid I was, I spotted the single 0 and thought “what if I change it to 1?”

Screenshot 3: Flow changed to 1 — a completely different UI appeared.

Now the real fun started. I wrote a quick Python fuzzer and discovered that almost every single field in this protobuf could be controlled. By stuffing the end of the array with the right values I could make the form auto-fill itself:

"WEB_BROWSER","WEB_BROWSER","https:%2F%2Fs70pb9ag.ssrf.cvssadvisor.com",...

Here’s what that looked like in action:

Screenshot 4: Auto-filled fields after protobuf manipulation.

A bit later I discovered that toggling a few true/false values also made the “Next” button click automatically. At this point, an attacker who knew the victim’s project name could build a single link that:

Overwrote authorized JavaScript origins on ALL of the victim’s OAuth client IDs.
Created brand-new client IDs.
Did the whole thing with one click.

Just clicking the link produced these results:

Screenshots 5–7: One-click OAuth client ID takeover in progress.

But now what? Should I report it? Or go deeper? I decided, let me just real quick change that one flow parameter to something like 2 or 3. (At that time I didn’t know how protobufs worked, and if I had the knowledge I have now, I probably wouldn’t have found the next issue. Sometimes not knowing what to do is good!)

Screenshot 8: Flow 3 — now it’s asking to create a Service Account with selectable permissions.

One more protobuf tweak (["owner"] in the right spot) and I could force the victim to create an Owner-level Service Account. The final step was a social-engineering PoC that tricked the user into dragging-and-dropping their permanent credentials straight into my account.

Here’s how evil it looked:

Screenshots 9–10: The final 1-click Owner service account + credential exfil PoC. (Yeah… you can tell I used AI for the scary text).

And just like that, a random teenager turned a domain-check bypass into a full OAuth configuration compromise and privilege escalation chain.

The two Attack scenarios :-

attacker sends link
victim clicks once

attacker gains:

control of OAuth configuration
ability to inject malicious redirect URIs

1 click + 1 drag and drop project takeover as roles/owner

I’d like to thank David Schütz, whose prior research indirectly contributed to my first bug discovery

Timeline & Payout

2025-06-27 — Report submitted
2025-06-27 — Acknowledged and routed to Cloud team
2025-06-28 — Sent extra PoC variations
Aug 26, 2025 — Initial bounty: $3,133.70
- Sent for re-evaluation (panel had missed the 1-click OAuth — my fault tbh for writing a 50-comment novel)
Oct 16, 2025 — Final reward: $10,203.30

Google’s official rationale :

“Google Cloud products on Tier 1. Vulnerability category is ‘Execute code on the client’. We applied a downgrade because the attack requires significant user interaction… but in fairness we upgraded for the additional impact discovered.”

Conclusion

Try everything.

Even the most ridiculous, “this will never work” scenarios sometimes pay $10k+.

Keep hunting. The next one is waiting.