Overview of Google’s Security Flaw
Recently, Google addressed a significant security vulnerability that could allow malicious actors to compromise a user’s recovery phone number, leading to potential privacy breaches. The concern was raised by a Singapore-based researcher known as “brutecat,” who discovered an oversight in Google’s account recovery mechanisms.
The Nature of the Vulnerability
This flaw specifically exploited the account recovery feature which was designed to allow users to verify if a recovery phone number or email was associated with a particular display name. However, it relied on an outdated version of the Google username recovery form that did not implement sufficient anti-abuse measures, making it especially vulnerable to brute-force attacks.
Exploiting the Vulnerability
By bypassing CAPTCHA restrictions, attackers could swiftly attempt multiple combinations of digits in a Google account’s phone number. The speed at which attackers could execute these attempts varied depending on the length of the phone number, influenced by regional formats. This method significantly reduced the time taken to reveal a victim’s recovery information.
Steps Involved in the Attack
- Utilizing Looker Studio to leak the Google account’s display name.
- Employing the “Forgot Password” process for the target email to display the last two digits of the masked phone number (e.g., •• ••••••03).
- Engaging in brute-force attempts against the username recovery endpoint to identify the complete phone number.
The researcher noted that, for instance, a Singaporean phone number could be uncovered in as little as five seconds, while a U.S. number might take up to 20 minutes to decode.
Potential Risks to Users
Once an attacker gains access to a Google account’s phone number, they could execute a SIM-swapping attack, which allows them to reset passwords for various accounts tied to that number. This type of access poses significant risks, as it can enable unauthorized control over numerous online services and sensitive information.
Google’s Response to the Discovery
Following a responsible disclosure on April 14, 2025, Google provided a reward of $5,000 to brutecat for the discovery and subsequently eliminated the vulnerable JavaScript-disabled username recovery form on June 6, 2025. This decisive action aimed to shore up security and prevent further abuse.
Previous Discoveries by Brutecat
This vulnerability is not the first issue unveiled by brutecat; earlier, the researcher highlighted another serious exploit that allowed the exposure of YouTube channel owners’ email addresses. This exploit leveraged a flaw in the YouTube API in conjunction with an outdated web API for Pixel Recorder, ultimately leading to a reward of $10,000.
Recent Vulnerabilities Identified
In March, brutecat also revealed access control weaknesses in the “/get_creator_channels” endpoint on YouTube, which could leak email addresses of creators in the YouTube Partner Program. For this disclosure, the researcher received a reward of $20,000. Google confirmed that attackers exploiting this vulnerability could de-anonymize YouTube creators, undermining the expected privacy these users typically rely on when engaging on the platform.
