8 hours ago
Google just fixed a bug that made it scary easy for attackers to find your phone number
Edgar Cervantes / Android Authority
TL;DR Google won't intentionally reveal the name or phone number associated with an account, but a series of vulnerabilities made it possible for attackers to get just that.
The company's account recovery tools were hijacked to allow for brute forcing of the phone number.
Google has since eliminated this loophole, preventing the attack.
It's obvious that some personal information, like our Social Security numbers, is important to keep private, but what about something like your phone number? While you readily share it with friends and businesses, these days a phone number can be a very powerful thing, especially when it's tied to all your accounts and used by many for 2FA. That's exactly why companies like Google work to keep your number a closely held secret — at least, they try to. But now a new report sheds light on a vulnerability that could have allowed attackers to brute force the phone number connected to your Google account.
Published by Brutecat, the attack centers on the tools Google provides for account recovery when you're having trouble logging in. While the vast majority of Google forms utilize JavaScript to help limit bot automation, this one page didn't seem to require it. Intrigued, Brutecat continued picking away at it, and ultimately discovered a series of vulnerabilities that, when strung together, could end up revealing the phone number associated with an account.
It all starts with a clever use of Google's Looker Studio web analytics tool to get the display name tied to a Google account — that's a lot like how Brutecat similarly used Pixel Recorder in its recent YouTube exploit to reveal email addresses.
Google's account recovery tool offers a hint at the phone number connected to an account, providing the final two digits to help you recognize it (in case you're juggling multiple lines). To prove you are who you are, you're expected to provide your name and complete phone number. Looker Studio already revealed name information, but how do we get the rest of the phone number?
It took a little doing, but Brutecat was able to sidestep some rate-limiting precautions Google implemented, effectively allowing it to just keep guessing at the missing phone number digits until it got it right. Google provides enough info to figure out the country code, and knowing that can narrow down the valid area codes or prefixes, reducing the size of the search and speeding up the attack. Ultimately, the site was able to run through the possibilities and narrow things down to the correct number in under 20 minutes — as low as 4 minutes for some numbers in some countries.
Google was informed of the vulnerability back in April, and after reevaluating its severity, ultimately rewarded the researchers a $5,000 bug bounty. A fix started rolling out late last month, and is now fully deployed. Google tells TechCrunch:
This issue has been fixed. We've always stressed the importance of working with the security research community through our vulnerability rewards program and we want to thank the researcher for flagging this issue. Researcher submissions like this are one of the many ways we're able to quickly find and fix issues for the safety of our users.
While it's great to know that this one window of exposure has been closed, it's also worth thinking about moving your 2FA workflow from something based on your phone number to one using something like an authenticator app or hardware security token.
Got a tip? Talk to us! Email our staff at
Email our staff at news@ . You can stay anonymous or get credit for the info, it's your choice.
