Google fixes bug that exposed private phone numbers
What's the story
Google has patched a critical bug that allowed attackers to expose private recovery phone numbers tied to Google accounts. A security researcher known as brutecat uncovered the flaw in the legacy username recovery form in mid-April and reported it to the tech giant. The issue enabled automated brute‑force attacks using simple scripts. Google has now fully disabled the vulnerable endpoint and issued a fix to protect user privacy.
Attack details
How the exploit worked
The exploit involved an "attack chain" of multiple processes, including leaking the full display name of a targeted account. It also bypassed an anti-bot protection mechanism that Google had put in place to stop malicious password reset requests from being spammed. By bypassing this rate limit, brutecat was able to quickly cycle through every possible combination of a Google account's phone number and find the right one within minutes.
Risk assessment
Script automated the attack chain
The researcher automated the attack chain with a script, making it possible to brute-force a Google account owner's recovery phone number in less than 20 minutes. TechCrunch tested this by creating a new Google account with an unused phone number and giving brutecat its email address. The researcher was able to reveal the private recovery phone number within minutes, confirming the vulnerability of even anonymous Google accounts to targeted attacks like takeover attempts.
Bug bounty
Google has fixed the issue
A Google spokesperson confirmed that the issue has been resolved and thanked the researcher for bringing it to their attention through their vulnerability rewards program. The company has not seen "any confirmed, direct links to exploits at this time." For their discovery, brutecat received a $5,000 bug bounty from Google.