In a significant development for user privacy, a security researcher has uncovered a vulnerability that could potentially expose the private recovery phone numbers of Google account holders. This flaw, if exploited, could lead to serious privacy and security concerns for users, as it allows unauthorized access to sensitive information without notifying the account owner.
Following the discovery, Google confirmed to a tech news outlet that they have resolved the issue after being alerted by the researcher in April. This prompt action underscores the company’s commitment to user security and the importance of addressing vulnerabilities swiftly.
The researcher, known by the pseudonym brutecat, detailed their findings in a blog post, explaining how they managed to retrieve the recovery phone number associated with a Google account by taking advantage of a flaw in the account recovery process. This exploit involved a series of coordinated steps, including revealing the full display name of the targeted account and circumventing Google’s anti-bot measures designed to prevent abuse of the password reset feature.
By successfully bypassing the rate limits, the researcher was able to systematically test various combinations of phone numbers linked to Google accounts in a remarkably short time frame. They reported that, with the help of an automated script, it was feasible to brute-force the recovery phone number in under 20 minutes, depending on the number’s length.
To validate this claim, a new Google account was created with a previously unused phone number, and the researcher was provided with the email address of this account. Shortly thereafter, brutecat was able to accurately identify the recovery phone number, confirming the vulnerability’s existence.
This exposure of private recovery phone numbers poses a significant risk, even for users who believe their accounts are anonymous. It could facilitate targeted attacks, such as account takeovers. For instance, if a malicious actor gains access to a user’s recovery phone number, they could execute a SIM swap attack, allowing them to reset passwords for any accounts linked to that number by receiving password reset codes.
Recognizing the potential implications for public safety, the tech news outlet agreed to withhold the story until the vulnerability was addressed. A spokesperson for Google emphasized the importance of collaboration with the security research community through their vulnerability rewards program, thanking the researcher for bringing this issue to their attention. They noted that such contributions are vital for the ongoing safety of users.
As of now, Google has reported no confirmed instances of this vulnerability being exploited. The researcher, brutecat, received a $5,000 reward as part of the company’s bug bounty program for their valuable discovery.