Latest news with #brutecat
Forbes
5 days ago
- Forbes
Google's Gmail Update—Yes, Delete Your Phone Number Now
Why you should delete your number. A raft of headlines will suddenly worry Gmail users, as a researcher proves that a user's private phone number can be 'brute-forced' from their Google account using just their Gmail address. So, do you need to delete the phone number on your account? The answer is yes, there's one account setting where you do need to delete it. Per 404Media, the researcher known as brutecat 'was able to figure out the phone number linked to any Google account, information that is usually not public and is often sensitive, according to the researcher, Google, and 404 Media's own tests.' Google has confirmed the attack and it has deployed an update: 'This issue has been fixed. We've always stressed the importance of working with the security research community through our vulnerability rewards program and we want to thank the researcher for flagging this issue. Researcher submissions like this are one of the many ways we're able to quickly find and fix issues for the safety of our users.' There are major privacy implications in 'brute-forcing the phone number of any Google user,' as brutecat describes it, not least because it's the unique identifier in secure messaging and account recovery, two areas where socially engineered attacks are rife. Fortunately, this was a proof of concept and has not been exploited — that we know. Your phone number is held in two places in your Google account — account recovery and two-factor authentication (2FA), where it's used to text codes when you sign in or access sensitive settings within the account. As I recommended last week, you should only use your number as an account recovery option but delete it for 2FA. Google calls this two-step verification (2SV), and you can find details on changing your settings here. You should only use 2FA linked to physical hardware, which means passkeys, authenticator apps or for the truly security hardened, physical keys. One of the implications of this phone number leak is SIM swapping, where an attacker armed with your number can trick a phone company into issuing a new SIM and so utilize your account. This open up risk, with most 2FA still SMS-based. You do not want an attacker armed with both your Gmail address and your SIM card. The even biggest risk is a fake call claiming to be from a technical support desk. Google has been hit hard by such attacks and has patched as it goes. It emphasizes it will never call users with a security or account issue, but still those attacks come. And so, in addition to deleting your phone number as a 2FA option, you should never engage with any technical or customer support desk from a major brand that calls or texts on the premise of an account or payment or password issue.
TechCrunch
6 days ago
- TechCrunch
Google fixes bug that could reveal users' private phone numbers
A security researcher has discovered a bug that could be exploited to reveal the private recovery phone number of almost any Google account without alerting its owner, potentially exposing users to privacy and security risks. Google confirmed to TechCrunch that it fixed the bug after the researcher alerted the company in April. The independent researcher, who goes by the handle brutecat and blogged their findings, told TechCrunch that they could obtain the recovery phone number of a Google account by exploiting a bug in the company's account recovery feature. The exploit relied on an 'attack chain' of several individual processes working in tandem, including leaking the full display name of a targeted account, and bypassing an anti-bot protection mechanism that Google implemented to prevent the malicious spamming of password reset requests. Bypassing the rate limit ultimately allowed the researcher to cycle through every possible permutation of a Google account's phone number in a short space of time and arrive at the correct digits. By automating the attack chain with a script, the researcher said it was possible to brute-force a Google account owner's recovery phone number in 20 minutes or less, depending on the length of the phone number. To test this, TechCrunch set up a new Google account with a phone number that had never been used before, then provided brutecat with the email address of our new Google account. A short time later, brutecat messaged back with the phone number that we had set. 'bingo :),' said the researcher. Revealing the private recovery phone number can expose even anonymous Google accounts to targeted attacks, such as takeover attempts. Identifying a private phone number associated with someone's Google account could make it easier for skilled hackers to take control of that phone number through a SIM swap attack, for example. With control of that phone number, the attacker can reset the password of any account associated with that phone number by generating password reset codes sent to that phone. Given the potential risk to the wider public, TechCrunch agreed to hold this story until the bug could be fixed. 'This issue has been fixed. We've always stressed the importance of working with the security research community through our vulnerability rewards program and we want to thank the researcher for flagging this issue,' Google spokesperson Kimberly Samra told TechCrunch. 'Researcher submissions like this are one of the many ways we're able to quickly find and fix issues for the safety of our users.' Samra said that the company has seen 'no confirmed, direct links to exploits at this time.' Brutecat said Google paid $5,000 in a bug bounty reward for their finding.
WIRED
6 days ago
- WIRED
A Researcher Figured Out How to Reveal Any Phone Number Linked to a Google Account
Jun 9, 2025 10:00 AM Phone numbers are a goldmine for SIM swappers. A researcher found how to get this precious piece of information through a clever brute-force attack. ILLUSTRATION: WIRED STAFF A cybersecurity researcher was able to figure out the phone number linked to any Google account, information that is usually not public and is often sensitive, according to the researcher, Google, and 404 Media's own tests. The issue has since been fixed but at the time presented a privacy issue in which even hackers with relatively few resources could have brute forced their way to peoples' personal information. This article was created in partnership with 404 Media, a journalist-owned publication covering how technology impacts humans. For more stories like this, sign up here. 'I think this exploit is pretty bad since it's basically a gold mine for SIM swappers,' the independent security researcher who found the issue, who goes by the handle brutecat, wrote in an email. SIM swappers are hackers who take over a target's phone number in order to receive their calls and texts, which in turn can let them break into all manner of accounts. In mid-April, we provided brutecat with one of our personal Gmail addresses in order to test the vulnerability. About six hours later, brutecat replied with the correct and full phone number linked to that account. 'Essentially, it's bruting the number,' brutecat said of their process. Brute forcing is when a hacker rapidly tries different combinations of digits or characters until finding the ones they're after. Typically that's in the context of finding someone's password, but here brutecat is doing something similar to determine a Google user's phone number. Brutecat said in an email the brute forcing takes around one hour for a U.S. number, or 8 minutes for a UK one. For other countries, it can take less than a minute, they said. In an accompanying video demonstrating the exploit, brutecat explains an attacker needs the target's Google display name. They find this by first transferring ownership of a document from Google's Looker Studio product to the target, the video says. They say they modified the document's name to be millions of characters, which ends up with the target not being notified of the ownership switch. Using some custom code, which they detailed in their write up, brutecat then barrages Google with guesses of the phone number until getting a hit. 'The victim isn't notified at all :)' a caption in the video reads. A Google spokesperson told 404 Media in a statement 'This issue has been fixed. We've always stressed the importance of working with the security research community through our vulnerability rewards program and we want to thank the researcher for flagging this issue. Researcher submissions like this are one of the many ways we're able to quickly find and fix issues for the safety of our users.' Phone numbers are a key piece of information for SIM swappers. These sorts of hackers have been linked to countless hacks of individual people in order to steal online usernames or cryptocurrency. But sophisticated SIM swappers have also escalated to targeting massive companies. Some have worked directly with ransomware gangs from Eastern Europe. Armed with the phone number, a SIM swapper may then impersonate the victim and convince their telecom to reroute text messages to a SIM card the hacker controls. From there, the hacker can request password reset text messages, or multi-factor authentication codes, and log into the victim's valuable accounts. This could include accounts that store cryptocurrency, or even more damaging, their email, which in turn could grant access to many other accounts. On its website, the FBI recommends people do not publicly advertise their phone number for this reason. 'Protect your personal and financial information. Don't advertise your phone number, address, or financial assets, including ownership or investment of cryptocurrency, on social media sites,' the site reads. In their write-up, brutecat said Google awarded them $5,000 and some swag for their findings. Initially, Google marked the vulnerability as having a low chance of exploitation. The company later upgraded that likelihood to medium, according to brutecat's write-up.
