A security flaw recently uncovered by a cybersecurity researcher could have exposed the private recovery phone numbers linked to virtually any Google account. This vulnerability posed significant privacy and security threats, potentially enabling unauthorized access or targeted cyberattacks without alerting the account holders.
Google confirmed that it swiftly patched the issue after receiving the initial report from an independent researcher identified as brutecat, who disclosed the discovery of the vulnerability in April. The researcher explained that the flaw centered around Google’s account recovery functionality and involved manipulating several steps in a chain of processes designed to safeguard user information.
Specifically, the exploit consisted of revealing the full display name associated with a targeted account and circumventing Google’s anti-bot measures intended to block suspicious password reset attempts. Bypassing these restrictions allowed the researcher to rapidly test numerous number combinations for the recovery phone number connected to a particular Google account. According to brutecat, automating this process enabled them to pinpoint the correct recovery number within approximately 20 minutes or less, depending on its length.
To independently verify the findings, a newly created Google account linked to a phone number, never previously associated with any Google account, was provided to the researcher. Shortly after, brutecat successfully identified the exact recovery number tied to the test account.
The disclosure highlighted serious potential consequences. Armed with a private recovery phone number, attackers might more easily execute targeted account takeovers or engage in SIM swap attacks, assuming control of the phone number to intercept login verification texts and reset other passwords.
Recognizing the implications of the bug, Google remedied the security weakness before any details came to public attention. A spokesperson from the company expressed gratitude to the security community and emphasized the importance of their vulnerability rewards program. Google further stated that no active exploitation related to this vulnerability had been observed.
The researcher received a $5,000 payout from Google under its bug bounty initiative in recognition of responsibly alerting the company to the vulnerability.
