Critical Thinking - Bug Bounty Podcast Episode 144: Google’s Top AI Hackers: Busfactor and Monke
Oct 16, 2025
In this discussion, Vitor Falcão, a full-time bug bounty hunter known for his client-side exploits, and Ciarán Cotter, a seasoned researcher focused on AI vulnerabilities, dive into their recent successes at the Mexico Live Hacking event. They share insights on transitioning from front-end to AI targets, strategies for submitting bugs, and the challenges faced in full-time hacking careers. Vitor highlights the balance needed to avoid isolation in the industry, while both explore the complexities of exploiting AI-related vulnerabilities.
AI Snips
Chapters
Transcript
Episode notes
Complex Client-Side Chain Leads To Critical ATO
- Vitor described a week-long client-side chain: postMessage lacking origin checks, prototype pollution via json.parse+Object.assign, and a malicious WebSocket host.
- He built a custom SocketJS-compatible server and used an iframe sandwich to exfiltrate an auth token and achieve session takeover.
Server Discord Collab Wins Big At Google LHE
- Ciarán invited Vitor to collaborate at the Google Live Hacking event after seeing him active in the Critical Thinking server.
- Together they reported 14 valid AI-related issues and won second place and AI-focused awards.
Prioritize Bonuses Over Distracting Rabbit Holes
- Prioritize tasks based on event goals and bonus targets rather than following every interesting rabbit hole.
- Re-prioritize when team leaders call for focus to maximize event bonuses and results.