A security researcher has found a flaw that could be used to expose users to privacy and security issues by disclosing the private recovery phone number of nearly any Google account without notifying the account owner.
After the researcher notified Google in April, the company confirmed to TechCrunch that it had rectified the flaw.
The independent researcher, who goes by the handle brutecat and blogged their findings, told TechCrunch that they could obtain the recovery phone number of a Google account by exploiting a bug in the company’s account recovery feature.
The vulnerability circumvented an antibot protection system Google put in place to stop malicious spamming of password reset requests, and it depended on a “attack chain” of multiple independent processes working together to disclose the full display name of a targeted account. The researcher was able to quickly cycle through every possible combination of a Google account’s phone number and arrive at the proper digits by circumventing the rate limit.
The researcher claimed that, depending on the length of the phone number, it was possible to brute-force the recovery phone number of a Google account owner in 20 minutes or less by automating the attack chain with a script.
TechCrunch tested this by creating a new Google account with an unidentified phone number and then giving brutecat the new Google account’s email address.
The phone number we had specified was returned by brutecat a short while later.
Even anonymous Google accounts may be subject to targeted attacks, such takeover attempts, if the private recovery phone number is made public. Finding a private phone number linked to a person’s Google account may make it simpler for knowledgeable hackers to take over that number using a SIM swap attack, for instance. By creating password reset codes and sending them to the phone, the attacker can reset the password of any account linked to that phone number.
TechCrunch decided to postpone this report until the flaw was patched due to the possible risk to the general audience.
“This problem has been resolved.Through our vulnerability rewards program, we have consistently emphasized the value of collaborating with the security research community, and we are grateful to the researcher for bringing this to our attention,” Google spokesperson Kimberly Samra told TechCrunch. “This type of researcher submission is one of the many ways we are able to swiftly identify and address risks for our users’ safety.”
Leave feedback about this