A security researcher has discovered a bug that could be exploited to reveal the private recovery phone number of almost any Google account without alerting its owner, potentially exposing users to privacy and security risks.
Google confirmed to TechCrunch that it fixed the bug after the researcher alerted the company in April.
The independent researcher, who goes by the handle brutecat and blogged their findings, told TechCrunch that they could obtain the recovery phone number of a Google account by exploiting a bug in the company’s account recovery feature.
The exploit relied on an “attack chain” of several individual processes working in tandem, including leaking the full display name of a targeted account, and bypassing an anti-bot protection mechanism that Google implemented to prevent the malicious spamming of password reset requests. Bypassing the rate limit ultimately allowed the researcher to cycle through every possible permutation of a Google account’s phone number in a short space of time and arrive at the correct digits.
By automating the attack chain with a script, the researcher said it was possible to brute-force a Google account owner’s recovery phone number in 20 minutes or less, depending on the length of the phone number.
To test this, TechCrunch set up a new Google account with a phone number that had never been used before, then provided brutecat with the email address of our new Google account.
A short time later, brutecat messaged back with the phone number that we had set.
“bingo :),” said the researcher.
Revealing the private recovery phone number can expose even anonymous Google accounts to targeted attacks, such as takeover attempts. Identifying a private phone number associated with someone’s Google account could make it easier for skilled hackers to take control of that phone number through a SIM swap attack, for example. With control of that phone number, the attacker can reset the password of any account associated with that phone number by generating password reset codes sent to that phone.
Given the potential risk to the wider public, TechCrunch agreed to hold this story until the bug could be fixed.
“This issue has been fixed. We’ve always stressed the importance of working with the security research community through our vulnerability rewards program and we want to thank the researcher for flagging this issue,” Google spokesperson Kimberly Samra told TechCrunch. “Researcher submissions like this are one of the many ways we’re able to quickly find and fix issues for the safety of our users.”
Samra said that the company has seen “no confirmed, direct links to exploits at this time.”
Brutecat said Google paid $5,000 in a bug bounty reward for their finding.
