- Google won’t intentionally reveal the name or phone number associated with an account, but a series of vulnerabilities made it possible for attackers to get just that.
- The company’s account recovery tools were hijacked to allow for brute forcing of the phone number.
- Google has since eliminated this loophole, preventing the attack.
It’s obvious that some personal information, like our Social Security numbers, is important to keep private, but what about something like your phone number? While you readily share it with friends and businesses, these days a phone number can be a very powerful thing, especially when it’s tied to all your accounts and used by many for 2FA. That’s exactly why companies like Google work to keep your number a closely held secret — at least, they try to. But now a new report sheds light on a vulnerability that could have allowed attackers to brute force the phone number connected to your Google account.
Published by Brutecat, the attack centers on the tools Google provides for account recovery when you’re having trouble logging in. While the vast majority of Google forms utilize JavaScript to help limit bot automation, this one page didn’t seem to require it. Intrigued, Brutecat continued picking away at it, and ultimately discovered a series of vulnerabilities that, when strung together, could end up revealing the phone number associated with an account.