Full Report
Phone numbers are a goldmine for SIM swappers. A researcher found how to get this precious piece of information through a clever brute-force attack.
Analysis Summary
# Main Topic
Discovery of a vulnerability allowing external researchers to reveal the phone number linked to any Google account via a brute-force attack, presenting a critical risk, particularly for SIM swapping activities.
## Key Points
- The vulnerability allowed an attacker to discover the full phone number associated with a target's Google account, information typically kept private.
- The method employed by the researcher involved a "clever brute-force attack."
- The primary danger highlighted is the accessibility of phone numbers, which are essential for SIM swappers to hijack accounts.
- The time required for the brute-force attack varied by country: approximately one hour for a U.S. number, eight minutes for a U.K. number, and less than a minute for numbers from other countries.
- The attacker required the target's Google display name as a prerequisite piece of information, which could be obtained by transferring ownership of a Looker Studio document to the target.
- The issue was reported and subsequently fixed by Google.
## Threat Actors
- **Potential Threat Actors:** SIM Swappers (hackers who take over phone numbers to gain access to linked accounts).
- **Attribution:** The vulnerability was discovered and demonstrated by an independent security researcher operating under the handle "brutecat."
## TTPs
- **Technique:** Brute-forcing numerical sequences (phone numbers) against Google's infrastructure.
- **Prerequisite Step:** Obtaining the target's Google display name, leveraged by transferring ownership of a document from Google Looker Studio to the target.
- **Attack Vector:** Exploiting a flaw in a process related to account verification or lookups that accepted brute-forced inputs for phone numbers.
## Affected Systems
- Google Accounts (Specifically, the mechanism used to link and potentially verify associated phone numbers).
- Google Looker Studio (Used as a non-direct vector to acquire necessary prerequisite PII/display names).
## Mitigations
- **Action Taken:** The vulnerability was reported to Google and has since been fixed.
- **General Mitigation Reminder (Implied):** Because the exploit was geared toward SIM swapping, users should ensure secondary account security measures are robust and not solely reliant on SMS 2FA.
## Conclusion
This incident highlights a significant privacy and security flaw stemming from a design decision allowing brute-force enumeration of phone numbers linked to Google accounts. The direct correlation between obtaining this data and facilitating high-impact SIM swapping attacks elevates the severity. Security teams should verify that the exposed endpoint/logic has been fully patched by Google and reinforce MFA methods that do not rely on SMS (e.g., hardware keys or authenticator apps).