Full Report
A vulnerability allowed researchers to brute-force any Google account's recovery phone number simply by knowing a their profile name and an easily retrieved partial phone number, creating a massive risk for phishing and SIM-swapping attacks. [...]
Analysis Summary
# Vulnerability: Google Account Phone Number Leakage via Recovery Endpoints
## CVE Details
- CVE ID: Not specified in the provided text.
- CVSS Score: Medium Severity (Graded by Google post-disclosure, specific CVSS vector/score not provided).
- CWE: Likely related to Insecure Direct Object Reference (IDOR) or Improper Access Control, as it allowed association mapping based on partial data.
## Affected Systems
- Products: Google Account Services (specifically the account recovery workflow).
- Versions: Not specified, but relates to the vulnerable no-JS recovery endpoint prior to deprecation.
- Configurations: Any Google account where a recovery phone number was associated.
## Vulnerability Description
A researcher discovered a flaw in Google's account recovery workflow that allowed an attacker to potentially enumerate and leak full phone numbers associated with a given Google account. The attack involved two steps:
1. Using the account recovery feature to obtain two digits of the recovery phone number linked to an account based on the associated email address.
2. Narrowing down the results by combining the partial phone number hint with information gained from other services (like PayPal, which hints at more digits, e.g., `+14•••••1779`), which facilitated targeted queries against Google's systems to identify the full number.
This leakage poses a significant risk for targeted attacks like vishing or SIM swap fraud.
## Exploitation
- Status: PoC available (A demonstration video was mentioned). Whether it was exploited maliciously in the wild is unknown.
- Complexity: Low/Medium (Lowered by using partial hints from other services to reduce the necessary querying breadth).
- Attack Vector: Network (Remote exploitation via web service interaction).
## Impact
- Confidentiality: High (Exposure of sensitive personally identifiable information (PII) – user phone numbers).
- Integrity: Medium (Enabling subsequent social engineering or account takeover attempts).
- Availability: Low (No direct impact on service availability reported).
## Remediation
### Patches
- Google confirmed the full deprecation of the vulnerable no-JS recovery endpoint on June 6, 2025. Specific patch versions are not detailed as the fix was endpoint removal.
### Workarounds
- None explicitly listed, as the vulnerability was fully mitigated by Google deprecating the endpoint. (For users: Ensure recovery methods are up to date and use strong, unique passwords).
## Detection
- Indicators of Compromise: Excessive and rapid querying against Google's account recovery or user identification endpoints originating from a single source, potentially targeting known email addresses with partial phone number matches.
- Detection Methods and Tools: Log analysis of rate-limited requests against account recovery APIs.
## References
- Vendor Advisories: Disclosure made via Google's Vulnerability Reward Program (VRP).
- Relevant Links:
- bleepingcomputer com/news/security/google-patched-bug-leaking-phone-numbers-tied-to-accounts/