A security researcher reveals that a poorly secured component of Google's systems allowed the mobile phone numbers of all accounts to be guessed. The ethical hacker, however, reported the breach in advance, as part of the firm's bug bounty program.
The flaw was rather easy to exploit according to the discoverer, a certain “Brutecat.” Indeed, the Google account recovery page – which was quite locked down – coexisted with a version without JavaScript that was quite easy to exploit. When you visit the accounts.google.com/signin/usernamerecovery page, you'll actually find yourself faced with a form that asks for an email address.
Then it asks you to confirm associated information, which is usually the mobile phone number. Only a few digits of the latter are shown at best, to help the user avoid entering a number other than the one registered. And in the version that we generally have access to, there's always a captcha acting as a barrier against programmatic testing of all possible combinations.
Google was here the victim of the sedimentation of more or less secure variants of the same interface.
Except that before the discovery of Bruteforce, the latter was also accessible in a version without JavaScript, allowing the captcha to be bypassed. And to test all possible combinations at very high speed. Enough to leak some rather sensitive personal data. Especially if the operation were automated to test a large number of email addresses.
According to the researcher, it only took a few seconds to guess a number based in Singapore. For 10-digit numbers like American, French, and more broadly European numbers, it took barely twenty minutes. A duration that's ultimately not so dissuasive for a motivated hacker.
Knowing the recovery number opens the way to a SIM swap, then to resetting the passwords for all attached services. In other words, a few lines of code could bypass even the best-configured two-factor authentication. Mountain View wants to believe that "few users" were ultimately actually exposed to the problem. Google nevertheless pulled the plug on this form on June 6, 2025.
It must be said that in the era of mandatory https and web standards with enhanced security, one might wonder what it was still doing there. Reported on April 14, 2025, the flaw allowed Brutecat to win a new $5,000 trophy that he can proudly add to his already extensive haul this year: $10,000 in January following the reporting of a bug on YouTube, before another report in March earned him $20,000.
Between the lines, we understand above all that a forgotten "legacy" form can be enough to bring down a cloud empire, despite reCAPTCHA, BotGuard and other virtual brick walls.
0 Comments