IntroductionDiscovery & PoCGato-XPeculiar CheckoutGato-X – Coming soon to all!Proof of ConceptDetection by Harden-RunnerCommit in Network of ForksExfiltrate to Secret GistDid it work?Disclosure TimelineReferences Introduction Recently, I reported a “Pwn Request” vulnerability in Google’s Flank repository. Flank is described as a “Massively parallel Android and iOS test runner for Firebase Test Lab” and is an official Google open source project. The vulnerability allowed anyone with a GitHub Acco...