A researcher calling himself BruteCat has discovered a vulnerability at Google. The flaw allows anyone to guess the recovery phone number for any Google account. To obtain this number, the attacker simply needs to already have the user's Gmail address.
The researcher, who discovered a similar bug at YouTube a few months ago, realized that it was possible to access an old recovery form for a Google account. This allowed users to check whether a phone number was linked to a Google account. All they needed was the name displayed on the account and to send requests to the server. In this way, the researcher was able to verify that a number was indeed linked to a Google account. This is already a pretty worrying privacy flaw.
How can an attacker guess the phone number of a Google account?
The expert took his research a step further. He wanted to automatically test thousands of numbers to see how a cybercriminal could take advantage of the vulnerability on a large scale. The researcher developed a tool that tests random numbers by bypassing Google's security mechanisms. The tool is actually able to generate valid phone numbers and enter them into the Google form. Little by little, the researcher can thus check which numbers are linked to a Google account. Even if the target never opens the document, their display name automatically appears in the Looker Studio interface. The generator will then generate valid phone numbers until it finds the correct number, which is linked to the Google account. The entire process is handled automatically by software. As the researcher admits, there can be thousands of Google accounts with the same name. To narrow down the search, he used snippets of phone numbers. It's very easy to obtain these snippets. All you have to do is go to the Google account recovery page. If you enter a name and email on the site, Google can display two digits of a recovery phone number associated with the account.
From there, the software designed by BruteCat can easily link an account to a full number. This is obviously a security disaster. With your name, email address, and phone number, a hacker can orchestrate convincing and formidable phishing attacks.
Google fixes the flaw
The researcher alerted Google to the vulnerability on April 14, 2025. On May 22, 2025, the Mountain View giant finally decided it was best to look into the flaw. So Google fixed the situation by cutting off access to the old recovery form. Mitigation measures have also been implemented. BruteCat received a $5,000 bounty for uncovering the vulnerability. It is unknown whether the breach was exploited by cybercriminals before Google took action.
Source: BruteCat
0 Comments