Full Report
Google has stepped in to address a security flaw that could have made it possible to brute-force an account's recovery phone number, potentially exposing them to privacy and security risks. The issue, according to Singaporean security researcher "brutecat," leverages an issue in the company's account recovery feature. That said, exploiting the vulnerability hinges on several moving parts,
Analysis Summary
# Vulnerability: Google Account Phone Number Brute-Force Disclosure
## CVE Details
- CVE ID: Not explicitly assigned in the provided text (Reported April 14, 2025; Remediation June 6, 2025)
- CVSS Score: Not explicitly provided. Severity is inferred as High due to potential for SIM-swapping attacks.
- CWE: Likely related to Insufficient Rate Limiting or Broken Access Control in Account Recovery mechanisms.
## Affected Systems
- Products: Google Account Recovery Services
- Versions: Affected versions include instances where the JavaScript-disabled version of the username recovery form (`accounts.google[.]com/signin/usernamerecovery`) was active and lacked sufficient anti-abuse protections.
- Configurations: Requires utilizing the deprecated, JavaScript-disabled username recovery page.
## Vulnerability Description
The flaw resides in a deprecated, non-JavaScript version of Google's username recovery form. This endpoint, designed to check if a recovery phone number or email is associated with a display name, lacked effective CAPTCHA-based rate limiting. An attacker could bypass these protections to brute-force the digits of a victim's associated phone number.
The successful exploitation requires a three-step chain:
1. **Display Name Leak:** Obtaining the victim's Google account display name (e.g., via Looker Studio document ownership transfer).
2. **Phone Masked Leak:** Running the 'Forgot Password' flow for the target email to obtain the phone number masked with the last two digits visible (e.g., •• ••••••03).
3. **Brute-Forcing:** Using the known partial number and the display name validation endpoint to brute-force the remaining unknown digits of the recovery phone number.
## Exploitation
- Status: Researcher-confirmed successful non-public exploitation (Proof of Concept demonstrated).
- Complexity: Medium (Requires chaining multiple distinct flows/steps: Looker Studio data leak, Password Reset flow, and endpoint brute-forcing).
- Attack Vector: Network (Primarily via API/Web interaction).
## Impact
- Confidentiality: High (Phone number leak leads to identity correlation).
- Integrity: High (Exposed phone number enables account takeover via SIM-swapping).
- Availability: Medium (Indirect impact via account compromise).
## Remediation
### Patches
- Google patched the vulnerability by **completely removing the non-JavaScript username recovery form** as of June 6, 2025.
### Workarounds
- No specific temporary workarounds are listed, as the vulnerability was mitigated by removing the vulnerable endpoint entirely. Users should ensure strong, unique passwords and potentially multi-factor authentication is enabled, supplementing phone recovery.
## Detection
- Detection efforts would primarily focus on monitoring for an unusually high volume of unique validation requests against the now-deprecated username recovery endpoint from a single source or IPs, although this endpoint is now removed.
- Indicator of Compromise (IOC): Unexpected SIM-swap attempts or account recovery initiations for connected Google accounts.
## References
- [Researcher Report (brutecat)](defanged: https://brutecat.com/articles/leaking-google-phones)
- [The Hacker News Article](defanged: https://thehackernews.com/2025/06/researcher-found-flaw-to-discover-phone.html)