A security researcher has identified a bug that could potentially expose the private recovery phone numbers of nearly any Google account without notifying the account owner, creating significant privacy and security risks.
Google confirmed to TechCrunch that it has fixed the bug after being alerted by the researcher in April.
The independent researcher, known as brutecat, detailed their findings in a blog post, explaining that the bug was found in Google’s account recovery feature.
The exploit involved an “attack chain” of multiple processes, including leaking the full display name of a targeted account and bypassing Google’s anti-bot protections designed to prevent malicious password reset requests. This allowed the researcher to circumvent the rate limit and quickly cycle through all possible permutations of a Google account’s recovery phone number.
By automating the attack with a script, brutecat stated that it was possible to brute-force a Google account owner’s recovery phone number in 20 minutes or less, depending on the number’s length.
To demonstrate this, TechCrunch created a new Google account with an unused phone number and provided brutecat with the email address. Within a short time, brutecat successfully revealed the phone number, stating, “bingo :)”.
Revealing a recovery phone number can put even anonymous Google accounts at risk of targeted attacks, such as account takeover attempts. If an attacker identifies a private phone number linked to a Google account, they could execute a SIM swap attack to gain control of that number. This would enable them to reset passwords for any accounts associated with it by receiving password reset codes.
Due to the potential risk to the public, TechCrunch agreed to withhold this story until the bug was resolved.
ICYMI: Portugal wins Nations League title after thrilling penalty shootout victory vs Spain
“This issue has been fixed. We’ve always emphasized the importance of collaborating with the security research community through our vulnerability rewards program and thank the researcher for flagging this issue,” said Google spokesperson Kimberly Samra. “Submissions like this help us quickly identify and rectify problems for our users’ safety.”
Samra noted that the company has found “no confirmed, direct links to exploits at this time.”
Brutecat received a $5,000 bug bounty reward from Google for their discovery.
SOURCE: TECH CRUNCH
