Google fixes bug that could reveal users’ private phone numbers

A security vulnerability discovered by a researcher has raised serious concerns about user privacy on Google accounts. This flaw could potentially allow unauthorized individuals to uncover the private recovery phone numbers of nearly any Google user without notifying the account owner, thereby posing significant security threats. The researcher, known as brutecat, detailed their findings in a blog post and informed Google about the bug in April. Following this alert, the tech giant confirmed to TechCrunch that the issue has been resolved. The exploit took advantage of a flaw in Google's account recovery process, which involved a sequence of actions that included leaking the full display name of the targeted account and circumventing a protective mechanism designed to stop automated password reset requests. By bypassing the rate-limiting measures, brutecat was able to quickly test numerous combinations of phone numbers associated with Google accounts. The researcher automated this process using a script, allowing them to potentially retrieve the recovery phone number of an account in 20 minutes or less, based on the number's length. To demonstrate the vulnerability, TechCrunch created a new Google account with a previously unused phone number and provided brutecat with the account’s email address. Remarkably, the researcher was able to relay back the phone number almost immediately, confirming the exploit's effectiveness. The implications of revealing a private recovery phone number are significant. Even accounts that maintain anonymity could fall victim to targeted attacks, such as SIM swap attempts. By gaining control over a user’s recovery number, hackers could reset passwords for any accounts linked to that number by utilizing password reset codes sent via SMS. In light of the potential risks to users, TechCrunch agreed to delay reporting on the bug until it was fixed. Google spokesperson Kimberly Samra stated, "This issue has been fixed. We’ve always stressed the importance of working with the security research community through our vulnerability rewards program and we want to thank the researcher for flagging this issue." Samra also mentioned that Google has not found any confirmed instances of the exploit being used maliciously. As a token of appreciation for the discovery, Google awarded brutecat a $5,000 bug bounty.