Google Patched Critical Bug That Could Expose Users' Private Recovery Phone Numbers

Google Addresses Bug That Could Reveal Users' Private Phone Numbers A security researcher, known online as brutecat, has uncovered a significant vulnerability in Google's account recovery system. This bug could allow attackers to discover the private recovery phone numbers of nearly any Google account holder without notifying the account owner, posing serious privacy and security threats. Google confirmed to TechCrunch that they had fixed the bug after brutecat brought it to their attention in April. The vulnerability involved a series of interconnected processes, collectively referred to as an "attack chain." This chain included leaking the full display name of a target account and evading Google's anti-bot mechanisms designed to prevent the automated submission of password reset requests. Brutecat detailed how the attack chain worked: First, the researcher could leak the full display name of a targeted account, which is often linked to the user’s identity. Next, by bypassing the rate limit, brutecat could test numerous permutations of a phone number in rapid succession, significantly reducing the time required to guess the correct digits. Using an automated script, this process could be completed in as little as 20 minutes, regardless of the phone number's length. To validate the severity of the issue, TechCrunch created a new Google account with a previously unused phone number and shared the email address with brutecat. Shortly thereafter, brutecat returned with the exact phone number, confirming the vulnerability. “Bingo :),” remarked the researcher. The implications of this bug are far-reaching. Revealing a private recovery phone number can expose even anonymous Google accounts to targeted attacks, such as account takeovers via SIM swap techniques. In a SIM swap, an attacker convinces a mobile carrier to transfer the target's phone number to a device under their control. Once they have access to the phone number, they can intercept password reset codes and gain unauthorized access to various accounts linked to it. Recognizing the critical nature of the vulnerability, TechCrunch held off on publishing the story until Google could resolve the issue. "We appreciate the work of the security research community and the valuable contributions they make to enhancing the safety and privacy of our users," said Kimberly Samra, a Google spokesperson. "This issue has been fixed, and we are grateful to the researcher for bringing it to our attention. Their submission is part of our ongoing efforts to identify and address vulnerabilities swiftly." Samra added that there were no confirmed reports of the bug being exploited in the wild at the time. As part of their bug bounty program, Google rewarded brutecat with a payment of $5,000 for identifying and reporting the flaw. The company’s vulnerability rewards program is a crucial component of its strategy to improve security by collaborating with independent researchers. This episode underscores the importance of continuous security monitoring and the value of engaging with the security community. By promptly addressing the bug, Google has taken a vital step in protecting its users from potential harm. However, the incident also highlights the ongoing challenges in securing online identities and the need for vigilance from both users and tech companies.