Without warning the owner, security researchers can discover bugs that can be exploited to reveal the private recovery phone numbers for almost any Google account, putting users at privacy and security risks.
Google confirmed with TechCrunch that it fixed a bug after researchers warned the company in April.
An independent researcher who blogged his findings using Brutecat on the handle told TechCrunch that he could use bugs in the company’s account recovery feature to get a recovery phone number for a Google account.
The exploit relied on a “attack chain” of several individual processes working in tandem, including leaking the full display name of the target account and bypassing the anti-bot protection mechanism Google implemented to prevent malicious spam in password reset requests. Bypassing rate limits ultimately allowed researchers to cycle through any possible permutations of Google account phone numbers in a short time, reaching the correct number.
By automating the attack chain with scripts, the researchers said it is possible to brute force the recovery phone number of the Google account owner within 20 minutes, depending on the length of the phone number.
To test this, TechCrunch set up a new Google account using a phone number that has never been used before and provided Brutecat with the email address of the new Google account.
After a while, Brutecat sent a message with the phone number we had set up.
“Bingo:),” the researcher said.
By revealing your private recovery phone number, even anonymous Google accounts can be exposed to target attacks such as attempts to acquire. Identifying the private phone number associated with someone’s Google account can make it easier for a skilled hacker to control that phone number via a SIM swap attack. By controlling that phone number, an attacker can reset the password for the account associated with that phone number by generating a password reset code sent to the phone.
Given the potential risks to the wider public, TechCrunch agreed to keep this story until the bug was fixed.
“This issue has been fixed. We have always emphasized the importance of working with the security research community through our vulnerability rewards program. We would like to thank the researchers for flagging this issue.” “Such researcher submissions are one of many ways to quickly find and fix the issue for the sake of user safety.”
Samra said the company “will not expose any direct links that have been confirmed at this time.”
Brutecat said Google paid $5,000 in bug prize money for their discovery.