Skip to content

Google fixes bug leaking account phone numbers

  • by
  • 3 min read

A newly discovered vulnerability lets hackers brute-force any Google account’s recovery phone number using a JavaScript-disabled version of the Google username recovery form. All the hacker needs to know is the profile name and a partial phone number to get started.

The bug was discovered by security researcher BruteCat, who was testing Google services to see if any of them still worked without JavaScript. Surprisingly, the now obsolete username recovery form still worked, even with JavaScript disabled in the browser. The form lets a user query if a phone number is associated with a Google account based on the account’s profile display name via specially crafted POST requests.

There were rate-limiting attempts on the page to prevent abuse, in addition to a CAPTCHA. However, these were bypassed using IPv6 address rotation, which can generate trillions of unique IPs for sending verification requests. CAPTCHAs could also be bypassed by replacing the “bgresponse=js_disabled” parameter with a BotGuard token from the form itself.

This is an image of google malicious account recovery page
Google’s account recovery page can leak your phone number. | Source: BruteCat.

For the account name, the researcher discovered that creating a Looker Studio document and transferring the ownership to the target Gmail address revealed the name. This method also requires no interaction with the target. BruteCat had also discovered how to reveal the private email addresses of YouTube accounts previously. Partial phone numbers can be retrieved from Google’s account recovery pages, which display two digits of a configured recovery phone number.

From there, BruteCat developed a brute-force script that can work at a rate of 40,000 requests per second. This means US Phone numbers will take 20 minutes to crack, UK numbers will require four, the Netherlands just 15 seconds, and Singapore only five seconds. This was done on a $0.30 per hour server with consumer-grade specs.

Leaked phone numbers are a major privacy concern, leading to smishing, vishing, or even SIM swapping attacks. Thankfully, Google was notified and has since patched the issue, with the form no longer being active. That said, while the attack vector isn’t exploitable, it’s unknown whether or not this exploit was ever maliciously used.

In the News: OpenAI bans ChatGPT accounts used by hacking groups

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of dark web hacker security

Russian pro basketball player arrested on ransomware charges

This is an image of tik tok 39239

Ireland launches fresh investigation into TikTok over data transfer to Chinese servers

Illustration: jmiks | shutterstock

British NCA arrest four for hacking M&S, Co-op, and Harrods

A mcdonald's sign on a pole.

McDonald’s AI bot leaks job applicants’ data

This is an image of dprk north korea flag

US sanctions North Korean hacker for running fraud IT worker scheme

This is an image of ransomware 32988sd

M&S confirms April cyberattack was ransomware

>