In 2013 Google released their Manual Actions viewer tool; within 24 hours I had hacked it and could view the penalties applied to any website.| Tom Anthony
Short version:| Tom Anthony
Short version:| Tom Anthony
I discovered a Facebook bug which allows me to identify whether a visitor is logged in to a specific Facebook account. It can check hundreds of identities per second.| Tom Anthony
<short version> Google takes some user supplied data in a URL parameter which it expects to be a domain name, but does not validate it is a proper domain name or sanitise it. They then inject this value into the page inside an inline block of Javascript, controlling the next page you will visit (halfway through the login flow), which allows you to replace it with a path of your choosing. This path can be a logout URL which then uses a second user supplied parameter to control the ongoing redi...| Tom Anthony
Short version:| Tom Anthony
I was conducting some experiments on how Googlebot parses and renders Javascript, and I came across a couple of interesting things about the way it does so. The first is that Googlebot’s Math.random() function produces an entirely deterministic series. I created a small script which uses this identify Google in an obfuscated fashion:| Tom Anthony
I recently reported an issue to Google, which allows an attacker to confirm whether a visitor to a web page is logged in to any one of a list of specific Google accounts (including GSuite accounts). It is possible to check about 1000 email addresses every 25 seconds. Google have confirmed this as working as intended, and not considered a bug.| Tom Anthony
In the last couple of days Google announced that they were going to start executing javascript on most pages they visit and thus rendering pages far more akin to how our browsers do it. It was inevitable they’d need to do this, so it is a welcome update.| Tom Anthony
I found a bug that allowed me to find anyone with a Google+ account's login email address. This could be used to target specific people for spear phishing.| Tom Anthony