A vulnerability in Google’s account recovery system allowed attackers to determine any user’s private phone number if they only knew their email. The company has already fixed the bug and paid $5,000 to the discoverer.
A vulnerability in Google’s account recovery system allowed attackers to determine any user’s private phone number if they only knew their email. The company has already fixed the bug and paid $5,000 to the discoverer.
As TechCrunch reports, an independent security researcher under the pseudonym brutecat discovered a bug in Google’s account recovery mechanism. The vulnerability allowed breaking the protection logic and picking up the phone number that the user added to restore access, without causing any warning to the account owner.
Brutecat created a whole «attack chain»: first, the algorithm learned the full display name of the account, and then bypassed the protection against bots, which limits the number of requests to the password recovery function. Finally, the script iterates through the number variants and records when Google confirms the correctness of part of the digits. This allowed it to establish the full number with high accuracy.
To test the exploit, a new Google account was created. After that, a unique phone number that had not been used before was linked, and brutecat was only given the account address. In less than half an hour, the researcher sent the correct number with the word «bingo :)».
Google confirmed the vulnerability and said it had been patched. According to company spokesperson Kimberly Samra, there have been no confirmed cases of the bug being exploited in real-world attacks. At the same time, the researcher was paid $5,000 under the Vulnerability Reward Program.
Once the number is obtained, attackers can attempt to perform SIM-swapping, an attack that allows them to take control of accounts through a mobile operator. This opens up access to password recovery, banking apps, email, and more. Users who deliberately do not publish their numbers, such as journalists, human rights defenders, or activists, are particularly at risk.
SMS recovery systems remain a vulnerable point in digital security. In such cases, a bug, even without an account being compromised, can reveal key private information — a personal phone number, which is itself a risk.
This case once again confirms the importance of bug bounty programs and cooperation between companies and independent cybersecurity researchers.
Recently, our news feed also featured an article about how Google urged users to immediately update their Chrome browser due to a high vulnerability that allows remote attackers to steal confidential data from other sites.
