neobotnet / blog / company-of-the-week
company of the week·7 min read

company of the week: google

Google's bounty scope is six roots, and they aren't six Googles — they're six Alphabets: the search-and-ads core (google.com), the two acquisitions that became household names (youtube.com, blogger.com), and three moonshots — DeepMind (AI research), Waymo (self-driving cars), Wing (drone delivery). Read from outside, the estate is enormous and almost boringly clean. The thesis the data makes concrete: big is not the same as exposed. neobotnet's demonstration here is subtractive — it takes the loudest alarms and walks every one of them back to intent.

Google runs a public Vulnerability Reward Program, which puts that estate in scope for outside research — neobotnet's full index is in /urls.

6
in-scope roots
40,052
dns resolved
757
live web servers
45
technologies
242,857
urls indexed

read from dns: six roots, one of them a mirage

Public DNS hands you the shape first. Six root domains, and they aren't six versions of one company — they're six of Alphabet's bets, each still flying its own name:

google  ·  6 in-scope roots  ·  the whole alphabet, read top to bottom
│
├─ the core .......... google.com    14,890 names → 8,700 distinct ips   (search, ads, workspace, cloud)
├─ the pillars ....... youtube.com    8,709 names → 4,048 ips            (bought 2006)
│                      blogger.com      420 names →   240 ips            (bought 2003)
└─ the moonshots ..... deepmind.com  15,010 names →     4 live servers   (ai research)
                       waymo.com        982 names →     7 live servers   (self-driving)
                       wing.com          41 names →    31 live servers   (drone delivery)

The DNS finding is the walk-back. 40,052 names resolve, but 14,992 of DeepMind's 15,010 are *.r1.deepmind.com, every one answering to a single shared IP — a DNS wildcard (a record that answers any name you invent under it, whether or not it's real) catching a scanner's guessed names. And the guesses are transparently wordlist-derived: financialplanner.<junk>.r1.deepmind.com and thousands like it, none of them real hosts.

Strip the mirage and DeepMind is 18 real names and 4 live web servers; the honest resolved surface is roughly 25,060, not 40,052. The moonshot with the biggest DNS shadow has the smallest real presence — while google.com and youtube.com, at 8,700 and 4,048 distinct IPs, are the genuinely huge estates. The raw count lies; the shape is what matters.

browse the dns layer in /dns →

read from http: one login, the whole estate

757 hosts answer with a live page, and one title drowns out the rest. The single most common page across all six roots is "Sign in - Google Accounts" — 97 times on google.com, 18 times on wing.com — one SSO (single sign-on: one login that gates many separate services) fronting everything down to a drone-delivery partner portal. The product catalog reads straight off the page titles:

google public web  ·  757 live hosts  ·  what answers the door
│
├─ the one login ..... "Sign in - Google Accounts"   97× google  ·  18× wing
│
├─ the core products . "Google" 55  ·  "YouTube" 55  ·  "Google Cloud Platform" 16
│                      "Data Studio" 15  ·  "Google Sheets" 11  ·  "Google Maps" 7
│                      "Drive Sign-in" 7  ·  "Gmail" 5  ·  "Google Meet" 5
│
└─ live hosts per root  google 554 · youtube 92 · blogger 69 · wing 31 · waymo 7 · deepmind 4
        │
        the live-host order inverts the dns order — the moonshot with the most
        names (deepmind) serves the fewest pages; the core serves the most

Even the newest moonshot answers through Google's login. Wing's entire web presence reads in three lines: the SSO 18 times, Wing Drone Delivery marketing 4 times, and Wing Partner Delivery Onboarding 3 times — a drone-delivery partner portal gated by the same account screen that fronts Gmail.

One caveat on the captures: /sorry/index answers 429 — Google's "unusual traffic" bot wall turning the crawler away — so many rows are request shapes, not live bodies. A 200 means the gate loaded, not opened.

see the live pages in /probes →

read from the urls: the payload that isn't

242,857 URLs indexed, 203,222 alive, and across the whole corpus: zero JWTs, zero auth tokens, zero credentials in URLs. The content-type hunt — searching by what a server says a file is (its content_type), not by the extension in the URL — that surfaced 711 customer invoices on Bolt returns about 13 PDFs here and no invoices, no data exports. Google leaks no documents. State the negative plainly: there is no secret in this quarter-million-URL corpus.

What there is, is noise that looks like a finding. Two shapes fire loudly; both walk back.

Finding 1 — 38,596 "cross-domain redirects," every one intentional. A cross-domain redirect is a URL param that sends the browser to another site; it's only dangerous when the server doesn't check the destination belongs to it — that's the open-redirect risk. A scanner screams it 38,596 times here. The composition:

  • /travel/clk?pcurl=38,100, Google Travel's hotel-affiliate click-tracker
  • /url?q= / ?url=437, Google's documented link redirector, which serves an interstitial warning page
  • /o/oauth2/v2/auth?redirect_uri=16, OAuth, cross-domain by design
  • /cloudshell/editor?cloudshell_git_repo=13, open-this-GitHub-repo-in-Cloud-Shell
  • /blog-this.g?u=12, Blogger's bookmarklet

Every high-volume instance is a mechanism Google runs on purpose and rates low. The alarm is loud and the finding is zero — and telling those two apart is the whole job.

see the cross-domain parameters in /urls →

cross-domain redirect parameters — google travel's /travel/clk affiliate tracker and the /url link redirector — in /urls

Finding 2 — 7,584 same-domain login-return tickets. The post-login "send me back here" params: continue (6,830), followup (4,512), url (714), all pointing back to Google properties — the same return-ticket shape 8x8 had, at Google scale. The one test that matters: does every continue/followup strictly validate that the destination stays on-Google? On this data every value is same-domain — a shape to test, not a finding.

see the login-return parameters in /urls →

same-domain login-return parameters (continue, followup) pointing back to google, in /urls

Two lone signals close the section, both walked back. A single google_api_key sits on /maps/embed/v1/place?key= — a Maps Embed key, public by design and restricted by referring page, not a leak. And a single email hit is a parser artifact on a malformed captured URL, not an address in the open. Neither is real.

One last pass, by hand, through the HTML itself — hunting the corpus for the words that usually mark a soft spot: admin, console, debug, internal, setup. It returns hundreds of live pages, and every cluster is documentation. The 511 "debug" hits are Search Console's /monitor-debug/ guides and Earth Engine's debugging reference; the "console" pages are the Chrome DevTools docs. The interesting-looking parameters go the same way: onload= is reCAPTCHA's own documented callback, template= opens the public issue tracker, and the lone callback= is a 404 on Google Reader, shut down since 2013. The words that look like a way in are the words Google uses to explain the way in.

what it adds up to

Google's estate is well-kept: an SSO wall fronting the whole thing, a bot wall turning away the crawl, and a quarter-million-URL corpus with no cloud keys and no secrets. It's clean precisely enough that a researcher can rank what's left:

  1. the login-return validationcontinue, followup, redirect_uri across every entry point. The one class with real surface, and the first thing to test: whether each strictly holds the destination on-Google.
  2. the moonshot and edge stacks — Wing's partner-onboarding portal, Waymo, Blogger. Each answers on its own code at its own patch cadence, separate from the core.
  3. the wildcard and dark zones — DeepMind's 14,992 phantom names on one IP, a reminder the raw count lies and the real surface is smaller than it looks.

Two things stated plainly, the way this series always closes. Every item above is a signal, not a confirmed vulnerability — neobotnet surfaces the shape; confirming exploitability is the researcher's job. And the right destination for anything live is Google's Vulnerability Reward Program, not a blog post.

next week

neobotnet runs the same pass on a different in-scope program every week. Subscribe via RSS or browse the company of the week archive.