Full Report
The bug allowed a researcher to uncover recovery phone numbers of nearly any Google account.
Analysis Summary
# Vulnerability: Google Account Recovery Phone Number Leak via Brute-Force Attack Chain
## CVE Details
- CVE ID: Not explicitly provided in the context.
- CVSS Score: Not explicitly provided in the context. Severity is implied to be high based on the impact.
- CWE: Not explicitly provided in the context, but relates to issues in Account Recovery Logic/Rate Limiting (potentially CWE-864: Improper State Transition or CWE-307: Limitation of a Resource or Rate Limiting).
## Affected Systems
- Products: Google Account Recovery Feature/System.
- Versions: Undetermined, affecting the system when the researcher reported it (prior to April 2025 fix).
- Configurations: Any Google account where a recovery phone number is set.
## Vulnerability Description
A security flaw existed within Google's account recovery feature that allowed an attacker to construct an "attack chain" to brute-force and reveal a user's private recovery phone number. This exploit chain involved:
1. Leaking the full display name of the targeted Google account.
2. Bypassing or correctly navigating anti-bot protection mechanisms designed to prevent the mass spamming of password reset requests.
3. Automating the process to cycle through all possible phone number permutations against the account.
The researcher demonstrated that with this automation, a recovery phone number could be discovered in 20 minutes or less.
## Exploitation
- Status: Proof of Concept (PoC) publicly demonstrated by an independent researcher ("brutecat") and confirmed via testing by TechCrunch. **Fix was deployed after disclosure in April.**
- Complexity: Low to Medium (Requires scripting/automation to execute the chain, but the fundamental bypass mechanism seems viable).
- Attack Vector: Network (Remote)
## Impact
- Confidentiality: High (Reveals sensitive personal identifying information—the recovery phone number).
- Integrity: Medium (The exposed phone number facilitates subsequent attacks like SIM swap attacks to gain control over the account).
- Availability: Low (Direct impact on service availability is low, but exposure increases the risk of account takeover).
## Remediation
### Patches
- Google confirmed that the bug was **fixed** after the researcher alerted them in April [2025]. Specific patch versions are not available in this context.
### Workarounds
- No explicit workarounds were mentioned, as the vulnerability was patched quickly upon responsible disclosure. Users should ensure standard security practices, avoiding SIM swap risks.
## Detection
- Indicators of compromise (IoCs) would likely involve high volumes of failed login or password reset attempts targeting a specific account from abnormal IP addresses, or unexpected rate-limiting activity on Google’s account recovery endpoints.
- Detection methods would require internal monitoring of the account recovery flow for unusual request volumes or sequences.
## References
- Vendor advisory: Google confirmed the fix to TechCrunch.
- Relevant links:
- Researcher findings blog: hxxps://brutecat.com/articles/leaking-google-phones
- TechCrunch Article: hxxps://techcrunch.com/2025/06/09/google-fixes-bug-that-could-reveal-users-private-phone-numbers/