Google Fixes Bug Exposing Private Recovery Phone Numbers

A recent discovery by a security researcher revealed a critical vulnerability in Google's account recovery feature that could expose the private recovery phone numbers of nearly any Google account without notifying the account owner. This flaw posed significant privacy and security risks, potentially enabling attackers to target users for account takeovers.

The researcher, known as brutecat, detailed how the exploit worked by chaining together several steps: leaking the full display name of the target account, bypassing Google's anti-bot protections designed to prevent password reset spamming, and circumventing rate limits that normally restrict attempts. This allowed cycling through all possible phone number permutations rapidly.

By automating this attack chain with a script, brutecat demonstrated that a Google account’s recovery phone number could be brute-forced in 20 minutes or less, depending on the phone number’s length. TechCrunch independently verified this by creating a new Google account with a unique phone number and confirming brutecat’s ability to retrieve it.

The implications are serious: exposing a private recovery phone number can facilitate targeted attacks such as SIM swapping, where attackers hijack a phone number to intercept password reset codes and gain control over accounts. Even anonymous Google users could be vulnerable to such exploits.

Google responded promptly after being alerted in April, confirming that the bug has been fixed. The company emphasized its commitment to collaborating with the security research community through its vulnerability rewards program, which awarded brutecat a $5,000 bounty for this finding.

While Google has not found any confirmed exploits linked to this vulnerability, the incident highlights the importance of continuous security testing and responsible disclosure. It also serves as a reminder for users to remain vigilant about their account recovery information and for companies to enforce robust protections around sensitive data.

Understanding the Attack Chain

The exploit’s success hinged on a multi-step attack chain that included:

• Leaking the full display name of the targeted Google account.
• Bypassing Google’s anti-bot protections to avoid detection during password reset attempts.
• Circumventing rate limits to rapidly test all possible phone number combinations.

This combination of vulnerabilities allowed the attacker to brute-force the recovery phone number efficiently, highlighting how layered security controls can sometimes be bypassed when considered in isolation.

Why This Matters for Users and Organizations

Recovery phone numbers are a critical security element for account restoration. If exposed, they can become a gateway for attackers to hijack accounts through social engineering or SIM swap attacks. This incident underscores the need for:

• Implementing multi-factor authentication methods beyond phone numbers.
• Ensuring robust rate limiting and bot detection mechanisms are in place and tested against complex attack chains.
• Encouraging users to review and update their recovery options regularly.

By addressing these areas, organizations can reduce the risk of similar vulnerabilities being exploited in their own systems.

The Role of Responsible Disclosure and Bug Bounties

This case exemplifies the importance of collaboration between security researchers and technology companies. The researcher responsibly disclosed the vulnerability to Google, allowing the company to patch the flaw before it could be exploited maliciously.

Google’s vulnerability rewards program incentivizes such disclosures by offering monetary rewards, in this case, $5,000. These programs are vital for maintaining the security ecosystem, encouraging ethical hacking, and protecting millions of users worldwide.

Ultimately, this incident is a reminder that security is a continuous process requiring vigilance, transparency, and cooperation between all stakeholders.