Google Resolves Security Flaw Exposing Users’ Private Phone Numbers

A security researcher recently uncovered a bug that had the potential to expose the private recovery phone number of almost any Google account without the user even knowing. This could have serious implications for user privacy and security. Google has since fixed the bug after being alerted by the researcher in April.

The researcher, who goes by the name brutecat, explained that they were able to access the recovery phone number of a Google account by exploiting a flaw in the company’s account recovery process. This exploit involved a series of steps, including revealing the full name associated with the account and bypassing Google’s anti-bot protection measures. By circumventing the rate limit, the researcher was able to quickly cycle through possible phone number combinations and eventually obtain the correct digits.

Using a script to automate the process, the researcher was able to crack a Google account’s recovery phone number in less than 20 minutes, depending on the number’s length. To test this vulnerability, TechCrunch set up a new Google account with a previously unused phone number and provided the email address to brutecat. Within a short period, the researcher was able to retrieve the phone number associated with the account.

By exposing private recovery phone numbers, even anonymous Google accounts are at risk of targeted attacks, such as takeover attempts. Hackers could potentially take control of a phone number through a SIM swap attack, allowing them to reset passwords on accounts linked to that number by intercepting password reset codes.

Google has since fixed the bug and thanked the researcher for bringing it to their attention. The company stressed the importance of collaboration with the security research community to identify and address vulnerabilities quickly and ensure user safety. Kimberly Samra, a Google spokesperson, confirmed that the bug has been resolved and that no direct links to exploits have been confirmed at this time. Google rewarded brutecat with a $5,000 bug bounty for discovering the issue.