Google Fixes Bug Revealing User Phone Numbers

Google Account Recovery Bug Exposed Private Phone Numbers

A security vulnerability was recently identified that allowed unauthorized disclosure of the private recovery phone number linked to Google accounts. This flaw potentially placed users at risk of privacy breaches and security compromises.

Bug Confirmation and Resolution

Google has officially confirmed the existence of this bug to TechCrunch and stated that a fix was implemented following notification from the researcher in April.

Researcher's Discovery

The researcher, known as brutecat, detailed their findings in a blog post. They demonstrated the ability to retrieve a Google account’s recovery phone number by exploiting a weakness within the account recovery process.

Exploit Details: An Attack Chain

The exploit involved a series of coordinated actions. This “attack chain” included revealing the complete display name of the target account and circumventing Google’s anti-bot measures designed to prevent automated password reset requests.

Successfully bypassing the rate limiting mechanisms allowed the researcher to rapidly test numerous phone number combinations. This ultimately led to identifying the correct digits associated with the account.

Brute-Force Capabilities

Through script automation, the researcher was able to brute-force a Google account owner’s recovery phone number in under 20 minutes. The exact time depended on the length of the phone number itself.

TechCrunch Verification

To validate the findings, TechCrunch created a new Google account using a previously unused phone number. They then shared the account’s email address with brutecat.

The researcher quickly responded with the correct phone number, confirming the vulnerability.

Potential Security Implications

Exposure of the recovery phone number can leave even anonymous Google accounts vulnerable to targeted attacks, including account takeover attempts. A compromised phone number could be exploited through a SIM swap attack.

Gaining control of the phone number allows attackers to reset passwords for any accounts linked to it, utilizing password reset codes sent via SMS.

Responsible Disclosure

Recognizing the potential impact on users, TechCrunch agreed to delay publication of this story until Google addressed and resolved the security issue.

Google's Response

“This issue has been fixed,” stated Google spokesperson Kimberly Samra. “We’ve always stressed the importance of working with the security research community and thank the researcher for their contribution.”

Samra further indicated that Google has not detected any confirmed instances of exploitation related to this vulnerability.

Bug Bounty Reward

Brutecat received a bug bounty reward of $5,000 from Google for responsibly disclosing the security flaw.

• Key Takeaway: The vulnerability highlighted the importance of robust security measures in account recovery processes.
• Mitigation: Google’s swift response demonstrates a commitment to user security.