Research Review #-2: RCE in Google's AI code editor Antigravity (sudi)
Transcript
research review number two. That's an ambitious number. Uh so we have uh what should be some very good research around uh hacking Google's AI code editor anti-gravity rce and Google's AI code editor anti-gravity $10,000 bounty by Sudi. Uh so number one it's just VS Code fork with or what is it? Is it VS Codium? whatever the open source uh whatever but with like it says wind I mean anti-gravity. Um I wanted uh I have a lot of thoughts in this space and I can't talk about a lot of them which is great.
So um I I mean I expect this to be a very uh thoughtprovoking writeup and I expect to suffer a beautiful passion as we go through this. That That's my expectation. So, I think I'll just get into it. Uh [clears throat] oh. Video.
Is this by Sirius? No, I don't. All right. Whatever. In continuation of our series hacking AI browsers, we are back again. This time targeting Google's anti-gravity.
Google released a new IDE a couple of weeks back. Uh a little bit more than that. Uh dubbed anti-gravity. It's based on tweets and drama. You all might know that the inner workings and everything else are the same as the windsurf ID.
When it comes to anything Windsurf related, we are kind of veterans. Ah, there we go. That was probably Sirius then. Yeah, it is. Okay.
As soon as a new AI browser ID, your tool hits the market, it becomes a race to find the first impactful bounty. This time, Sirius was busy building cool stuff. So, it was my turn to find an entry point and work towards it. The Google IDE comes bundled with a browser. Based on our past experiences, this is a lucrative target.
Yeah, dude. Here's a brief explanation of anti-gravity ids workflow and how it integrates with the browser. Um, so VS code extension human interacts with that it thinks lm call. It has some tool. Okay, so it has language server Mac OS.
Uh, there's a VS code extension in here which interacts with the language server. This server exposes a bunch of API calls responsible for handling any task whether from the IDE or other sources. Okay. Um, so the language server I thought language servers were for like syntax highlighting uh not like tool calls. What? Okay.
Using a tool like proc expplorer.exe we can get a comprehensive view of what's being executed by the anti-gravity ID. Okay. Yeah. So there we go. There's the electron.
There's some child process that is the language server and it's using node. Dude, that's nice. starting the language server with and then some flags that let's see what we do. Okay. Um huh.
Okay. That's that's how it calls it. Okay. Yeah. Yeah.
So, it passes the language server binary some stuff to set it up so it can talk to it. And it looks like it's using pipes and ports and some Oh, lord, that's a lot of stuff. Uh this binary is responsible for running the server. The port is specified in the extension server port argument which is random for each run. Okay.
And the Curf token flag, I guess it's a flag like a like the call flag, uh, is added as a precaution to protect against UNS rebinding based attacks similar to the one Sirius found language server binary invokes the Node.exe binary as well. Looking at the command line, this is what we see. So uh, what? Oh lord. Okay, so this is for the browser. Okay, so it's using playrite which is used to control browser automation.
The core of the IDE lies within the language server Windows x64.exe. exe this is written in Golang. What? What? The core of the IDE lies with I thought I thought this was what what what so it's like running what what what I I don't no I thought it was just VS Code fork with a VS Code extension built in that backs the AI pieces of it and I thought this was talking about like some browser tool functionality but like the whole thing runs in uh let's say uh API interactable web wrapper and then then it can like fully interact with itself. That sounds insane. I don't know.
I think I must be misunderstanding this. Um after playing around with the ID and looking for potential pitfalls, I concluded the following two entry points that should leave me with something impactful enough. Pone language server. This should be easily achievable by finding a way to leak the curve token which is used to protect against DNS rebinding base attacks. This protection was added specifically in response to the issues identified previously by Sirius.
The language server validates the X-codium-csurf token request header for every incoming request. The first step was to understand how the curve token is generated by inspecting the extension source at there we go. There's the anti-gravity extension that gets shipped with the bundled uh VS code fork. We can identify the relevant code path. And then there's the Node.js code that uh it looks like a crypto random UID uh source is reaching that uh based on the description of random UID from Indian, we can assume it's safe and not something we can predict unlike cases where math.random is used.
Yeah, it'd be funny to see like a NodeJS bug or whatever that uh Oops. But uh yeah, know that'd be a node bug, right? Yeah, that's like part of the Yeah. Um crypto enemy UID method. I'd look for other places where the Curf token might be leaked. I decided to run a strings operation on the language server binary and check how the CSER token value is being used.
I searched for patterns such as Curf token Curf token Etsy. Found some interesting placeholders. Looking at line one, it uses a string formatter and the value might be a JSON object as seen on line two. It accesses the request CERF token property. Based on the comments, it's clear that the script is injected into the browser.
Interesting. Could also see calls like this related to the CSURF token. Uh so it's doing some sort of protobuff stuff. Okay. For however, in order to get a better understanding of the language server, one would have to reverse engineer this Golang binary.
For now, we won't concentrate on that. Yeah, me neither, man. When there's like JavaScript to go read, let's go read that instead, man. Uh as the Curf token was being used in the playright scripts, I decided to check the browser. Oh, wow.
What? What? Uh, so let's jump to it right away. This is the very first time you open the very fir Okay, so they're hacking the integrated browser piece of the ID. That makes sense. So it's not like the whole thing runs a wrapper around itself and that like Okay. Like I don't even have great words to describe what I was imagining there.
Um, but uh it would be very cursed. Okay. Yeah. Uh very first time you open the integrated browser, you'll be prompted to install an extension, anti-gravity browser extension. This extension is what empowers the AI agent to interact with the websites opened in the browser.
Okay. Once the extension is installed, you can play with it. For example, from the chat window, you can provide a prompt such as openexample.com and change the background color to blue. Okay. Wow.
Uh you know, you shouldn't be doing this. Somebody should uh let Google know that like this is against be best security practices and they should just burn it all down. This just seems like a bad idea. [clears throat] This looks interesting and leaves us with a question. How is it controlling all of this? True.
Remember earlier we saw node.exe being invoked to run the CLI JS script for playright. We can actually debug this and get a better understanding of what's going on. To debug the CLIJS script, we can either modify the code to enable debugging or try to place a proxy node.exe that appends the inspect argument when executing CLI.js. Um, I think you can set node options via environment variables actually. Uh, that might be an easier way to do it.
In fact, uh you could do something very bad there. Um but that just injecting it via envir would be an option. It's Yeah, I think it's what is it? I think I literally said the name node options. Yeah. Uh and you can just append additional node options and that's I I like using that for like Docker containers sometimes because it's easier than trying to patch things.
Uh but yeah, right. Um however, there's a much easier way to do this that doesn't require any setup. We can also see that it's using the d- remote debugging port flag when launching the browser. Oh, nice. So, you can just attach.
Um, yep. Uh, the easier way I talked about is to just grab the P ID of the node process you want to debug. Uh, oh lord. Wow. Okay.
I actually didn't know this trick. In my case, it's 40632. So, I would execute the following command in the terminal. So, you can run node- e and call process_debug with a p. I didn't know that one.
That's um that's really cool. Uh, and so then I guess it'll like bind a listener for that guy or something. Then open Chrome inspect in your browser. From there we should be able to debug the CLI process. Nice.
That's a really good trick actually. Um, I need to remember that when I'm on other systems that I want to Wow, that's so good actually. Yeah, that's powerful for Yeah. Okay. I I'm just thinking of so many spots I would want to use that in.
Huh. Okay. In the extension service worker, we can find references to the CSUF token at Chrome extension. Oh lord. What? It's a Chrome ext Oh lord.
So it's adding a custom Chrome extension to the headless browser or not headless. There's a head but to the to to Playright uh wrapped browser so that it can talk to the uh VS Code extension node backend process and those guys can fiddle the browser on behalf of what the LLM thinks is cool to do to the Yeah, that's uh that's cool. Um, it sounds terrible. That's a great scope though. Maybe ah lord.
I wanted to look at uh anti-gravity, but I heard it was a dupefest and that bugs have been coming in so much faster than they can fix things and then writing Google reports. I Google just hasn't treated me well, man. Sorry. Like um I [sighs and gasps] Yeah. Uh, and maybe I haven't like played hard ball with them because I understand that that's how what you got to do.
You got to talk about, okay, then can we disclose this? And then they'll, you know, it's it's a different game. Um, and I do intend to learn it soon, but yeah. Okay. On line five, you can see it's setting the value specified in this.Z to the Xcodium CSUF token key. Tracing this value back leads us to the self.get get credentials method where the first argument of the function is supposed to contain the curve token value.
Uh so let's see we've got minified JavaScript my favorite. Um but like unironically maybe um yeah so it has here's some code snippets. Now searching for where set credentials is called gives us no results. This was strange because how the hell is this extension getting its hands on the curve token? The answer lies in the script we got earlier from the string results of the language server binary. Okay, so is it okay? Yep, there's an RPC client.
Great. This makes everything clear. The above code is injected into the context of the anti-gravity extension. Global this set credentials is the same as self.et credentials and the first argument is clearly the curve token. In order to view the playright injected content scripts in the browser, we need to enable an additional option in dev tools which isn't enabled by default.
Under sources, search enable search and anonymous and content scripts. Uh, do I have that enabled? I don't think I have that enabled because I think I would have annoying hits in anonymous uh like VM scripts. That's a really good thing to know about though. Uh, so thank you. I again I knew this would be a good write up.
Uh, so now if you search for evaluate, you should see some results. Without enabling that option, you will see zero results. I've set a breakpoint here because the method is responsible for evaling the injected content scripts into the page. This comes from the playright core package at and then linked to player. I didn't know that was Microsoft.
I knew it was um so yeah there's the script that then does stuff and runs client side code. Uh the second argument for the evaluate method expression contains the following value. Let's see that is some JavaScript. Uh directly set the credentials in the service workers global scope. Okay, seeing this, I wanted to confirm whether there was any chance the same script was evaluated in the web page context or not.
Yeah, okay. Because then you could have an evil page that is like a Curf token. Lord, that is a chain. Uh, however, it turns out this is only evaluated in the context of the extension service worker. So, there's no way to link the Curf token.
Sad. That'd be such a funny chain. Honestly, like should write less secure code so that there can be more funny chains. By casually using the intended functionalities of the anti-gravity agent to interact with web pages, I could in real time view what type of scripts Etsy are injected into the normal pages. Nice.
Sometimes these injected scripts have extra privileges and they may be available only for a limited time. Interesting. For example, I was able to find one case window.update actuation overlay uh cascade ID display string. Okay. Uh, update actuation overlay is used to display those agent messages in your browser window.
For example, in the above screenshot, you can see it says agent needs your input. Wow, they're running that in the DOM of the uh viewed page. That's crazy, huh? And not doing it like as an overlay in uh like the workbench uh VS Code UI there. I'm using language that I think is overly specific for somebody that hasn't spent time looking at these kinds of applications. And I don't know if that's a bad thing or not, but um might have might have helped to do like a primer on how VS Code uh VSS code extensions slash webviews uh work and extension backend node pro.
Yeah. Uh oh. Well, whatever. Um, we can again search for this method name to find its declaration in the hidden content scripts. This method doesn't do anything other than displaying that the then displaying that overlay prompt about the AI agent.
Can we find UXS? Uh, this method is accessible temporarily and only when the agent is in a running mode. Okay, you can see those blue border lines as an indication of that. To confirm my hypothesis, I hosted the following code on my server and instructed an agent to perform a task on it. The code below calls the update actuation method with an arbitrary display string key which gets executed every 10 milliseconds or so. Didn't take long enough to confirm it.
Nice. So, you can actually call that which is cool. Um, aside from this, I spent some time figuring out if there were other meth other such methods that would allow me to do something impactful. Yeah, definitely. Since we are targeting a browser here, something like a universal XSS.
Hey, what did I say? UXS also would be impactful. But no dice. I couldn't find anything like that. And it all seemed to be limited to UI functionalities only and very limited. Man, that sucks.
Uh, it was a failed attempt as in the end I wasn't able to find anything impactful there, but I wanted to share the details. Yeah, that's interesting. And I kind of have some ideas there for like Huh. Like I wonder how that works with Does that work on iframes? I just I wonder if that just exposes any like strange edge cases that break traditional browser trust rules in some way. I don't know.
Yeah, I would have to look at that and think about that and I don't want to because I don't I don't want to enter the anti-gravity space because I just understand that it isn't for me. I don't Am I wrong? Could be wrong. Could be wrong here. Uh could be leaving a lot on the table, but uh yeah, I need to like I need to fix that. Uh, all right.
Pone the browser extension. I then moved on to the browser extension itself, hoping to find something there at least. Starting with the extension source code, the very first thing I looked at when auditing an extension is the manifest.json file. The externally connectable property here was set to all URLs, meaning it allows whitelisted origins to talk to the extension via chrome.runtime.connect.runtime. Send message.
Uh, refer to perplexity comments for more details. If you want to know how we are able to pone the comment browser which had an over permissive origin set for this property. Okay, that's interesting. Post message handling this can be found here in the Chrome extension service worker binary and it has a listener. Uh so I'm going to summarize what all of these actions you can do here.
What man I need to learn how to read. Okay, looks like it has an RPC call validate cascader cancel overlay smart. All right, here we go. Let's look at the summary. Uh, okay.
Some of these instantly like save screen recording uh to where RPC call validate cascader cancel overlay smart focus conversation register target ID get current tab ID that could be h service worker wake up get mime type check jet ski connection save screen recording that where where uh can we get some sort of like write gadget there seems to be a bunch of functionalities that could be triggered some sample code can be seen in the content script showing how these actions are called. Okay, so we've got uh uh great an event listener. Yay. Um save screen recording looks very interesting based on the naming. Yeah, I imagine that.
So I started digging into this one specifically. Uh this action was called from offscreen binary.js. Based on the if condition check in the message handling code, I was checking for a few more properties that aren't present in the above example code. it was. So I pulled out the message properties one by one.
It expects the action property to be equal to save screen recording. The ZA key to be one of type object file name to be of type string. And lastly, L to be of type string as well. Okay, so some valid message here. Yep.
Had a lot of trial and error when guessing the correct format for this. It turns out that by combining the keys from the example code and the ones mentioned, it seemed to jump to the next function. Nice. Uh yeah, I love having my debugger attached and making valid structured messages. That's a fun game to play.
I It's nice when you can just hook it and dump a valid one instead and modify that, but at the same time, you might miss out on like uh Oh, wait. It also supports this weird thing that's like never used, but would allow for path traversal. All right. Um, sorry. The the ZA key appeared to be the same as K only.
Dude, I don't speak ZA. I don't speak minified variable names. Um, so yeah, the call ends up here, which makes a request to this. system. Save screen recording of the language server.
Interesting. Okay. Along with those parameters such as file name, content being sent to the request body. Yo. Uh, and this request, this is the request which is being sent by the extension for saved screen recording action.
Tell me we're getting file. All right, man. All right. The catchiest part of the screenshot is the response headers. Mainly gRPC message.
Oo, failed. Oh, and it's sending it back to the Is it going all the way home? Uh, failed to save video file. Open full path. The system cannot find the path specified. That's great.
Uh the error message clearly indicates that it was trying to save the recording content to the provided location. For the file path, we have control over two places. Okay. So, okay. Yeah.
Whatever that is. Is that like extension maybe? No. Okay. That's like some folder. Nice.
Okay. Oh, is this like Okay. As the final directory doesn't exist, the file operation probably fails. So, my next step was to see if it allows path traversal. Yeah.
Are we getting our right gadget? Yo yo yo is it working? Modifying the L key which results in the kind of weird path. Uh if I increase the traversal sequence it remains the same error. No. Later I realized I have two injection points in the path and I can add traversal sequences in the file name keypad as well. This turned out to be the final payload.
Yeah, we're getting a file right. I knew it. In my case when I saw that screen save screen recording I'm like can we get a file right gadget and please be yes. Uh in my case my username is Stark PC. So I created a new file C user st PC directory at PC.
Okay, so writing the PC.txt to home with the arbitrary content fully controllable by me. The endpoint response also no longer shows the same error, dude. And you well I think you can path leak and then like write to startup, right? One more thing to point out later I realized that even when this error was being shown, the file was actually being saved to the correct reverse location. Anyway, nice. That's a really good call.
Don't trust error messages blindly. They can be lethal sometimes in blackbox tests. Blackbox test. Yeah, thankfully this wasn't blackbox. Uh that's also Yeah, that's a good tip.
Uh failed to save file open download. Surely the system could not find the path specified. So this bug basically allows us to arbitrarily write any file to the victim's PC. As long as the current user has permissions to write to that location. One easy code execution vector would be the user startup folder.
Yep. By placing an arbitrary executable there. Next time the system is rebooted, the executable will automatically be executed. Dude, nice. That's so good.
I'm glad we got that, Shane. Yes. Um, yeah, dude. Okay. So, yeah.
So, it would be like a you go to malicious website in the uh anti-gravity browser. Well, the agent is Oh, no, no, no. Right. Because anybody Yeah. You go to malicious website.
It calls the Chrome runtime connect or whatever to get a uh message guy, talks to the extension back end and says, "Yo, dog, you love talking to me. You're allowed to talk to me because the manifest said so. we're allowed to talk about these kinds of things. Hey dude, I've got a really sweet screen recording for you to save and then it's like, "Yeah, dude. I'll go save that screen recording." Um, and then it saves that screen recording.
And it's like actually an Epic .exe that's written to the startup folder. And then it, you know, you have RC. Uh, so I think that's the chain. That's my understanding. And that's a really cool chain.
So shout out Google for letting them write about this and shout out Sudi for this sick ass chain. Um, 10 grand. I hope he put it on his neck. All right. Um, so Google added additional checks in the handler method in order to fix the issue.
The newly added sh method on line one validates the origin and some other properties to ensure the message is invoked only with the extension context and not from any malicious page. Nice. Yeah, that's definitely a good call because like you got no business talking to that thing. Um, okay. So, it's got something.
Where's the wait? Oh, interesting. So, it's only added that for the screen recording though and not the other ones. And did it not lock down the extension? Hm. Um, they added the following check here. A is the sh method from the advent listener call back.
The second argument which is B as shown below. The message handler is registered using where the callback receives ABC. The B parameter representing the sender is then passed down and ultimately validated by the SH method. The very first check inside the SH method is a URL. Also the b.include/static offscreen.html is easy to bypass.
Yeah, just host your Oh lord. Yeah. Okay, just throw it in. Yeah. Um do whatever you want.
Um you you know you can figure out how to make your attacker URL have static sloffscreen.html in it if you really want to. Uh the yeah so that easy to bypass. The second check is against chrome.runtime ID which is expected to be the extensions ID. Interesting. I don't Yeah, I don't know how that works.
Uh the last check verifies whether the a.tab property is undefined or null. If so, it evaluates to true. Uh so you want it to be you can potentially get around the creme runtime ID check as well if you are able to find a proxy post message call. Yeah, I've seen that. Uh they usually look something like this.
Um some ID content script. Yeah. Okay. Since content scripts are injected into web pages, abusing such a proxy could allow messages to appear as if they've originated from the extension context. Yeah.
Sometimes it's just like implemented as a feature, which seems like a very bad design decision, but there might be a reason to do that. I've definitely seen Chrome extensions that do that, but unfortunately, you know, I've dug into it. It's like, oh, I can't even I can't even tell the guy to do cool things on my behalf with this. Uh, but I have seen that behavior. Even if you are able to find something like this in the case of anti-gravity, you can see a similar pattern, but it has some checks in place on the type of action you can specify.
So, it's not fully arbitrary. Okay. Yeah. See, and I've I think I've also seen that where it's like limited message relay, although being able to bypass that and like maybe huh. Um, all right.
The last check for a tab can't be made to eval evaluate to true. Tab prompter will only be undefined when the message is called directly from within the extension itself. Okay, that makes sense. Such as from the service worker. Okay, so if you're proxying through a content script, it's over.
But I wonder how Oh, okay. Uh, even from a content script, it checks the tab property. So, even if we were able to bypass the first two checks, the third check would still be in our way. This is such a great breakdown of the patch, by the way. Like, I I feel like um honestly, if you're going to publish something like this, you should publish a post you should write a postfix analysis.
Um because number one, this is such a great jumping off point for additional research. And then number two, like you're doing due diligence to make sure that like, hey, if I publish this, am I kind of selling myself short on bypassing this because it's like, you know, when you know about it and you can probably come up with a bypass and you have priority for that because nobody else does, like that's that's a good spot to be in. Um and so to sit down and write a postfix analysis and explain you know, almost rubber ducking. Why? Why does this patch work and why can't I bypass it? You might find out that you can bypass it, and you might be like, "All right, well, maybe I don't want to publish this right now, and I want to report this bypass instead." Uh, so this is very good uh and uh very smart thing to do. And it's also again like such a great jumping off point for additional research because like you know as a reader I could be like actually I happen to know about this quirk that may allow us to bypass uh that tab check when it's relaying from a content script because uh I can get the content script to load in some context that chrome.tab is false or whatever when it's like a weird nuance.
I don't know, you know, I I don't, but you know, if you did or had some ideas around um making the computer smile, whatever. Very I like that though. And I mean that's uh a really good point of like I mean Sudi is a very impressive hacker and researcher and that's uh this is uh just just including the postfix analysis is big and like that's like really the difference big difference maker for some of like why are these guys such epic hackers and it's like they're asking the right questions and like digging into the right things here. Um, but yeah, conclusion. As AI powered browsers become more prevalent, the attack surface expands significantly.
The privileged API required to make browser agents functional are precisely what makes them dangerous when improperly secured. This is the third AI browser we've looked at, and both had overly permissive allow lists exposing powerful APIs. Yeah, we're confident there are others with similar issues. Getting browser security right is hard. Is hard.
Even what? Getting browser security right is hard even. Teams with deep uh I don't I think there's supposed to be a space between there. Okay. I thought hard even was like a thing. I'm like no that's not a thing.
I was thinking like uh like like NP hard. All right. Getting browser security right is hard. Even with deep expert even teams with deep expertise struggle with it. Uh, unless you're dealing with a team as heavily invested in security as Google open AI or Perplexity, think twice before installing that shiny new AI browser.
Yeah, I agree about us. Our security research team is worldclass top top ranked CTF competitors, Defcon published researchers, and leading bug bounty hunters. We've we've hacked browsers, operating systems, mobile apps, desktop software, and massive web platforms. True. Chances are now you've used something we've helped make more secure.
True. We're now channeling that expertise into Hectron a AI agents and us working together to bring that real offensive capability into every stage of the software life cycle. Um, you know what? The writeup was good enough that I will continue reading your advertisement. And that that that's my rating for this piece of review. Good enough write up for me to read your advertisement out loud out of 10.
So be happy. If you're looking to secure your agentic applications and also any kind of applications that you are building, we can help. We've had Cluey, Cursor, Windell, Windsurf, Perplexity, Comet, Open AI, Atlas, and now Google's anti-gravity and many more. We work closely with teams to secure agentic systems before attackers find what we find. Meet our team at HackronAI.
Reach out at helloronaihackron.ai or app.hacktron.ai contact. Yeah. Um, guess what? They earned that. They earn they earned me reading that. Uh so yes, very good write up.
Very uh awesome bug. I'm glad that I was able to follow along with it and kind of predict where it was going. You know, that's kind of shows that it's well written and kind of directing you towards the right things to look at. You know, I'm sure they looked at so much stuff here. Um and ultimately, I mean, this is very good.
I I have um man, I found some cool bugs in some applications similar to this that I just can't talk about. And so I I guess maybe that helped a lot with some of my intuition here. Um but right so let's let's do the research review items. Uh you know we've read through this amazing write up. Um but the question is uh let's see research review questions.
Uh where else can this be applied? Um so you know they kind of answer that question. Uh but I think anywhere that there is uh userc controlled programmatic access to a browser I mean that is a the man sop same origin policy barely works as is browsers are barely secure when you add another layer on top there's so many complexities there that like like going for that UXS and when you've got all these systems talking to each other it is very easy to uh allow for things that bypass intended security controls that just break everything. Um I I like the concept of SOP barely works. That's a I don't know if I'll stand on that take, but it is a funny take. Um so yeah, there's definitely similar applications to this and this strategy of um breaking down the components, understanding how they talk to each other is absolutely crucial.
you know, getting a debugger attached to those node processes. And [clears throat] man, are there a lot of node processes with this kind of application like there's the extension host uh node, there's the actual like workbench web stuff that's running like in the Electron web browser, there's just the core Electron like VS Code backend piece, and then I guess with this running that browser, there's even more. So, there's like the Playright wrapper. Uh then there's the actual DOM of what's being rendered in that browser. Then there's the extension uh backend processes for that extension.
There's that's like six. Uh but anyway, yeah, attach a debugger uh and figure out how things work. How does this generally apply to BB? Uh again, yeah, it's very like understanding how things work is very important and it's very uh as well as the threat model and what you're trying to do. Uh this is a very good write up. Uh further research.
Yeah. So there's I mean there's just so many leads dropped here honestly. like uh I kind of [sighs] maybe in March after I whatever I I think in March maybe I'll emotionally prepare myself for enough dupes of things and try to do an anti-gravity tearown because I have some tricks that um are I can't talk about. Ah, I have like all these variations of like uh things that are cool and are generally applicable across AIDS uh that are I can't whatever. I need to do something with this.
Um I already gave it a rating uh which was I'm willing to read your ad at the end out of 10, which that might be the highest rating I've given anything. Um, which you know, uh, that's just called negotiation, you know, like the they negotiated with me by writing really good words, um, and then, you know, putting the ad at the end and being like, "Yeah, all right, fine. You've earned it." Um, so yeah, I guess like shout out Sod again, very impressive researcher. I look forward to seeing more stuff from him and uh you know Heron AI has put out a lot of other amazing pieces of research and I would guess that they do good work as far as like their offerings. I don't know.
I've never worked with them. Their research speaks for itself. Uh yeah. Uh I think that covers this piece of research. very good and definitely a lot of interesting things you could start looking into if you just wanted to jump into uh looking for bypasses or looking for additional interesting behavior they may have missed here.
Uh in thumbs up approved research valid.