Google Patches Critical Flaw That Exposed Private Phone Numbers

Google has fixed a serious bug in its account recovery system that could have exposed users’ private phone numbers. The flaw allowed attackers to brute-force recovery phone numbers tied to Google accounts without alerting account owners, raising concerns about privacy and potential SIM swapping attacks.

How the Google Flaw Worked

Security researcher “brutecat” discovered in mid-April that Google’s legacy non-JavaScript recovery form lacked proper bot protections. By combining the display name of a target with a brute-force script, brutecat could guess full phone numbers linked to Google accounts. The attack worked in as little as 20 minutes for U.S. numbers and as fast as 15 seconds for smaller countries like the Netherlands.

The method required two key pieces of information: the victim’s display name and a partial masked phone number. Brutecat retrieved the name from Looker Studio document ownership. Google’s UI sometimes shows partial phone digits during account recovery, assisting the brute-force process.

Risks and Real World Impact

Revealing a private phone number is more than an annoyance. It presents a significant security threat. Attackers can use the number to perform SIM swapping, intercept SMS-based multi-factor authentication, and hijack accounts. With over 40,000 number guesses possible per second on low-cost servers, even protected accounts were vulnerable.

Google acknowledged the issue and rated it as medium severity after initially downplaying its exploitability. The company has since disabled the vulnerable endpoint and restored adequate protections.

Google Response and Fix

After brutecat reported the issue through Google’s Vulnerability Reward Program in April, the tech giant moved quickly to investigate and respond. On June 6, Google fully deprecated the flawed recovery pathway. It also issued a $5,000 bug bounty payout to brutecat.

A Google spokesperson stated that they found no evidence of malicious exploitation. The company credited its collaboration with the security research community for swiftly identifying and resolving the vulnerability.

What Users Should Do

Google advises users to review and update their recovery phone numbers and enable stronger two-factor authentication methods like hardware keys or authenticator apps. Experts also recommend limiting public display of personal phone numbers and checking account recovery settings regularly.