A security researcher has discovered an error that could be exploited to reveal the private recovery phone number of almost any Google account without alerting its owner, possibly exposing users to privacy and security risks.
Google confirmed to Techcrunch that it repaired the error after the researcher warned the company in April.
The independent researcher who goes by the handle brutecat and blogged their findingstold Techcrunch that they can get the recovery phone number from Google’s account by exploiting an error in the company’s account re -acquisition.
The exploitation depended on a “attack chain” of several individual processes working in tandem, including filtering the full screen name of a targeted account, and omitting an anti-bot-protection mechanism that Google has implemented to prevent the malicious spamming of password reset requests. Bypassing the rate -limit ultimately allowed the researcher to cycle through every possible permutation of Google’s phone number in a short time and arrive at the correct digits.
By automating the attack chain with a script, the researcher said that it is possible to brutely strengthen the recovery of a Google account number in 20 minutes or less, depending on the length of the phone number.
To test this, Techcrunch set up a new Google account with a phone number that has never been used before, then provided brutecat with the email address of our new Google account.
A short time later, Brutecat message with the phone number we set up.
“Bingo :),” said the researcher.
To reveal the private recovery phone number can exhibit even anonymous Google accounts to targeted attacks, such as transfer tests. Identify a private phone number associated with some Google account could make it easy for clever hackers to control that phone number with a Sim Swap AttackFor example. With control of that phone number, the attacker can reset the password of any account associated with that phone number generating password reset codes sent to that phone.
Considering the potential risk for the wider public, Techcrunch agreed to keep this story until the bug could be repaired.
“This issue has been resolved. We have always emphasized the importance of working with the security research community through our program of vulnerability reward and we want to thank the researcher for a flickering of this issue,” Google Kimberly’s spokesman Samra told Techcrunch. “Researchers like this is one of the many ways in which we are able to quickly find and solve problems for the security of our users.”
Samra said the company saw “no confirmed, direct links to exploitation at this time.”
Brutecat said Google paid $ 5,000 in Bug Bounty’s reward for their finding.
