Google has stepped in to address a security flaw that could have made it possible to brute-force an account's recovery phone number, potentially exposing them to privacy and security risks. The issue, according to Singaporean security researcher "brutecat," leverages an issue in the company's account recovery feature. That said, exploiting the vulnerability hinges on several moving parts, specifically targeting a now-deprecated JavaScript-disabled version of the Google username recovery form ("accounts.google[.]com/signin/usernamerecovery") that lacked anti-abuse protections designed to prevent spammy requests. The page in question is designed to help users check if a recovery email or phone number is associated with a specific display name (e.g., "John Smith"). But circumventing the CAPTCHA-based rate limit ultimately made it possible to try out all permutations of a Google account's phone number in a short space of time and arrive at the correct digits in seconds or minutes, depending on the length of the phone number (which varies from country to country). An attacker could also take advantage of Google's Forgot Password flow to figure out the country code associated with a victim's phone number, as well as obtain their display name by creating a Looker Studio document and transferring ownership to the victim, effectively causing their full name to be leaked on the home page. In all, the exploit requires performing the following steps – Leak the Google account display…Read More
Researcher Found Flaw to Discover Phone Numbers Linked to Any Google Account
