Google fixes bug that could reveal users' private phone numbers
Google confirmed to TechCrunch that it fixed the bug after the researcher alerted the company in April.
The independent researcher, who goes by the handle brutecat and blogged their findings, told TechCrunch that they could obtain the recovery phone number of a Google account by exploiting a bug in the company's account recovery feature.
The exploit relied on an 'attack chain' of several individual processes working in tandem, including leaking the full display name of a targeted account, and bypassing an anti-bot protection mechanism that Google implemented to prevent the malicious spamming of password reset requests. Bypassing the rate limit ultimately allowed the researcher to cycle through every possible permutation of a Google account's phone number in a short space of time and arrive at the correct digits.
By automating the attack chain with a script, the researcher said it was possible to brute-force a Google account owner's recovery phone number in 20 minutes or less, depending on the length of the phone number.
To test this, TechCrunch set up a new Google account with a phone number that had never been used before, then provided brutecat with the email address of our new Google account.
A short time later, brutecat messaged back with the phone number that we had set.
'bingo :),' said the researcher.
Revealing the private recovery phone number can expose even anonymous Google accounts to targeted attacks, such as takeover attempts. Identifying a private phone number associated with someone's Google account could make it easier for skilled hackers to take control of that phone number through a SIM swap attack, for example. With control of that phone number, the attacker can reset the password of any account associated with that phone number by generating password reset codes sent to that phone.
Given the potential risk to the wider public, TechCrunch agreed to hold this story until the bug could be fixed.
'This issue has been fixed. We've always stressed the importance of working with the security research community through our vulnerability rewards program and we want to thank the researcher for flagging this issue,' Google spokesperson Kimberly Samra told TechCrunch. 'Researcher submissions like this are one of the many ways we're able to quickly find and fix issues for the safety of our users.'
Samra said that the company has seen 'no confirmed, direct links to exploits at this time.'
Brutecat said Google paid $5,000 in a bug bounty reward for their finding.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Yahoo
22 minutes ago
- Yahoo
Bullish (BLSH) Soars Anew on Strong Buying
We recently published . Bullish (NYSE:BLSH) is one of the top performers on Thursday. Cryptocurrency exchange Bullish saw its share prices grow by 9.75 percent on Thursday to close at $74.63 apiece as investors continued to post strong confidence in the company. After its debut on the stock market on Wednesday, August 13, shares of Bullish (NYSE:BLSH) already rose by a whopping 219 percent from its $37 IPO price, to an intra-day high of $118, before paring gains to finish lower. PTstock/ The company successfully raised $1.1 billion in fresh funds from its IPO, covering 30 million shares or 19.9 percent of its total stock. As of Thursday, it was valued at nearly $11 billion. Bullish (NYSE:BLSH) joins the roster of publicly listed cryptocurrency exchange platforms, taking advantage of President Donald Trump's favorable attitude towards the cryptocurrency industry. Unlike most crypto exchanges, Bullish (NYSE:BLSH) primarily caters to institutional clients, offering spot trading, margin trading, and crypto derivatives, targeting the stable and recurring revenue stream that institutional investors provide. While we acknowledge the potential of BLSH as an investment, our conviction lies in the belief that some AI stocks hold greater promise for delivering higher returns and have limited downside risk. If you are looking for an extremely cheap AI stock that is also a major beneficiary of Trump tariffs and onshoring, see our free report on the .
Yahoo
22 minutes ago
- Yahoo
DLocal (DLO) Gets Boost from Optimistic Outlook Despite Threats
We recently published . DLocal Ltd. (NASDAQ:DLO) is one of the top performers on Thursday. Shares of DLocal skyrocketed by 31.31 percent on Thursday to end at $15.35 apiece, as investor optimism was buoyed by the company's strong growth outlook for full-year 2025 despite the threats of macroeconomic uncertainties. In its updated report, DLocal Ltd. (NASDAQ:DLO) said it expects full-year revenues to jump by 30 to 40 percent year-on-year, with adjusted EBITDA growth of 40 to 50 percent in the same comparable period. Image Source: Shutterstock 'Our updated guidance reflects the strong performance in the first half of the year and the sustained momentum anticipated across our business,' it said. However, it outlined risks that could potentially impact the company moving forward, including trade tariffs, shifting fiscal regimes in Brazil, and the possibility of currency devaluations or changes in foreign exchange regimes in Argentina and Egypt. In the first six months of the year, DLocal Ltd. (NASDAQ:DLO) saw its net income increase by 40 percent to $89.5 million from $64 million in the same period last year, while revenues grew 33 percent to $473.2 million from $355.7 million. While we acknowledge the potential of DLO as an investment, our conviction lies in the belief that some AI stocks hold greater promise for delivering higher returns and have limited downside risk. If you are looking for an extremely cheap AI stock that is also a major beneficiary of Trump tariffs and onshoring, see our free report on the .
Yahoo
22 minutes ago
- Yahoo
Cellebrite (CLBT) Cheers on 3rd Day After Swing to Profit
We recently published . Cellebrite DI Ltd. (NASDAQ:CLBT) is one of the top performers on Thursday. Cellebrite rallied for a third consecutive day on Thursday, jumping 9.29 percent to end at $15.29 apiece after swinging to profitability in the second quarter of the year. In its updated report, Cellebrite DI Ltd. (NASDAQ:CLBT) climbed to a net income of $19.48 million from a $23.8 million net loss in the same period last year. Revenues increased by 18 percent to $113.28 million from $95.7 million. In the first half, the company posted a net profit of $36.88 million, reversing a $95.18 million net loss in the same comparable period. Revenues were higher by 19 percent to $220.8 million versus $185.3 million year-on-year. Copyright: aijohn784 / 123RF Stock Photo Despite strong figures, Cellebrite DI Ltd. (NASDAQ:CLBT) lowered its outlook on key metrics for the full-year period, with revenues now pegged at $465 million to $475 million, versus the $470 million to $485 million targeted previously. The new outlook represents a 16 to 18 percent annual growth, versus the 17 to 21 percent expected prior. For the third quarter alone, revenues were targeted at $121 million to $126 million, or a 13 to 18 percent growth year-on-year. Following the performance, investment firm Needham lowered its price target for Cellebrite DI Ltd. (NASDAQ:CLBT) to $18 from $24 previously, but maintained a 'buy' recommendation on the stock. While we acknowledge the potential of CLBT as an investment, our conviction lies in the belief that some AI stocks hold greater promise for delivering higher returns and have limited downside risk. If you are looking for an extremely cheap AI stock that is also a major beneficiary of Trump tariffs and onshoring, see our free report on the .
