A security researcher recently uncovered a vulnerability that allowed the exposure of private recovery phone numbers linked to almost any Google account, without alerting the account owner. This bug posed significant privacy and security risks by potentially enabling attackers to identify sensitive information used in account recovery.
Google confirmed the issue has been fixed following the researcher’s disclosure in April.
How the Exploit Worked
The independent researcher, known by the handle brutecat, explained that the exploit leveraged a chain of actions, including revealing the full display name of the targeted account and bypassing Google’s anti-bot protections designed to prevent password reset spamming. By circumventing rate limits, the researcher could systematically test every possible phone number combination to identify the correct recovery number.
Automating this process via a script, brutecat was able to brute-force the recovery phone number in under 20 minutes, depending on the number’s length.
To verify the exploit, a new Google account with an unused phone number was created. Upon providing the email address to brutecat, the researcher quickly returned the exact phone number linked to the account, confirming the vulnerability.
Risks of Revealing Recovery Phone Numbers
Exposing a private recovery phone number opens the door to targeted attacks such as SIM swapping. Hackers gaining control of the phone number can intercept password reset codes sent via SMS, enabling them to take over associated accounts. Even anonymous Google accounts become vulnerable once their recovery numbers are known.
Google stated the issue is now resolved and expressed appreciation for the researcher’s contribution via its vulnerability rewards program. A company spokesperson emphasized the importance of collaboration with the security community to promptly identify and patch such flaws. To date, there have been no confirmed reports of this vulnerability being exploited maliciously.
Brutecat received a $5,000 bug bounty reward for discovering and reporting the bug.
What The Author Thinks
This incident highlights the delicate balance between convenience and security in account recovery systems. While phone numbers are a critical recovery tool, their exposure can lead to severe privacy breaches and account takeovers. Companies like Google must continuously strengthen safeguards and monitor for innovative attack methods. Collaboration with security researchers is vital, but users should also remain cautious, enabling multi-factor authentication and staying alert for suspicious activity.
Featured image credit: Roboflow Universe
For more stories like it, click the +Follow button at the top of this page to follow us.