Ddos 
In April, a researcher uncovered a security vulnerability within Google’s account system that allowed them to obtain any user’s linked phone number—without triggering any notifications to the targeted individual.
This flaw was initially discovered and reported to Google by an independent security researcher known as brutecat. The vulnerability resided in Google’s account recovery mechanism and involved a complex chain of coordinated processes operating across multiple subsystems. Once the initial steps were completed, the remainder of the exploitation process became significantly more straightforward.
Specifically, the researcher found a way to bypass Google’s anti-bot protections, which are normally designed to restrict the frequency of password reset requests. By exploiting the flaw, the researcher was able to employ brute-force enumeration techniques to generate valid combinations.
Given that phone numbers are composed of fixed-length numeric sequences, it was not particularly difficult to iterate through possible combinations. The researcher developed a script to fully automate the attack, enabling the extraction of a target’s actual phone number in as little as 20 minutes—or even less under optimal conditions.
Once the real number linked to an account was identified, it could be leveraged in a variety of attacks—for instance, impersonating Google to send fake security alerts prompting users to re-enter their passwords. In the case of high-value targets, adversaries could initiate a SIM-swapping attack to seize control of the associated Google account.
Google has since patched the vulnerability entirely within its account systems. The company emphasized that this incident underscores the critical value of its Vulnerability Reward Program and its collaboration with the security research community. Google extended its gratitude to the reporting researcher and awarded a $5,000 bounty for the discovery.
Additionally, after conducting an internal investigation, Google confirmed that no attacks exploiting this specific vulnerability were detected prior to the fix—meaning no user phone numbers were compromised as a result of this issue.
Related Posts:
- Protecting Malaysians’ Data: New Breach Notification System in Place
- Data at Risk: Three-Quarters of Top Websites Leave Users Exposed to Cyberattacks
- Developer installs four different operating systems on a Windows Phone
Donate