A vulnerability allowed researchers to brute-force any Google account’s restoration telephone quantity just by understanding a their profile title and an simply retrieved partial telephone quantity, creating an enormous danger for phishing and SIM-swapping assaults.
The assault methodology includes abusing a now-deprecated JavaScript-disabled model of the Google username restoration type, which lacked fashionable anti-abuse protections.
The flaw was found by safety researcher BruteCat, the identical one who demonstrated in February that it is attainable to show the non-public e mail addresses of YouTube accounts.
BruteCat instructed BleepingComputer that whereas the assault retrieves the telephone quantity customers configured for the Google account restoration, this is identical because the account holder’s main telephone quantity within the overwhelming majority of instances.
Brute-forcing Google numbers
BruteCat found that he may entry a legacy no-JavaScript username restoration type, which gave the impression to be working as anticipated.
The shape allowed querying if a telephone quantity was related to a Google account primarily based on a consumer’s profile show title (“John Smith”) by way of two POST requests.
The researcher bypassed the rudimentary rate-limiting defenses on the shape by utilizing IPv6 tackle rotation to generate trillions of distinctive supply IPs by way of /64 subnets for these requests.
The CAPTCHAs displayed by many requests have been bypassed by substituting the ‘bgresponse=js_disabled’ parameter with a legitimate BotGuard token from the JS-enabled type.
Supply: BruteCat
With the method set, BruteCat developed a brute-forcing instrument (gpb) that iterates by quantity ranges utilizing country-specific codecs and filters false positives.
The researcher used Google’s ‘libphonenumber’ to generate legitimate quantity codecs, constructed a rustic masks database to determine telephone codecs by area, and wrote a script to generate BotGuard tokens by way of headless Chrome.
On a brute-forcing charge of 40,000 requests per second, US numbers would take about 20 minutes, UK 4 minutes, and the Netherlands lower than 15 seconds.
.jpg)
Supply: BruteCat
To begin an assault in opposition to somebody, their e mail tackle is required for the shape, however Google has set this to hidden since final yr.
BruteCat discovered he may retrieve it by making a Looker Studio doc and transferring possession to the goal’s Gmail tackle.
As soon as possession is transferred, the goal’s Google show title seems on the doc creator’s Looker Studio dashboard, requiring zero interplay with the goal.
Armed with this e mail tackle, they might carry out repeated queries to find out all telephone numbers related to the profile title.
Nonetheless, as there may be hundreds of accounts with the identical profile title, the researcher narrowed it down utilizing the goal’s partial quantity.
To get a partial telephone quantity for the consumer, the researcher utilized Google’s “account restoration” workflow, which is able to show two digits of a configured restoration telephone quantity.
“This time may also be considerably diminished by telephone quantity hints from password reset flows in different companies comparable to PayPal, which give a number of extra digits (ex. +14•••••1779)”, explains BruteCat.
The leaking of telephone numbers related to a Google account could cause an enormous safety danger to customers, who can then be focused in focused vishing assaults or SIM swap assaults.
An indication of exploiting this flaw may be seen within the video under.
Bug mounted
BruteCat reported his findings to Google by way of the tech large’s Vulnerability Reward Program (VRP) on April 14, 2025.
Google initially thought of the exploitability danger low, however on Could 22, 2025, it upgraded the problem to “medium severity,” making use of interim mitigations and paying the researcher a reward of $5,000 for the disclosure.
On June 6, 2025, Google confirmed that it had totally deprecated the susceptible no-JS restoration endpoint.
The assault vector is not exploitable, however whether or not or not it was ever maliciously exploited stays unknown.
Patching used to imply advanced scripts, lengthy hours, and infinite hearth drills. Not anymore.
On this new information, Tines breaks down how fashionable IT orgs are leveling up with automation. Patch quicker, cut back overhead, and deal with strategic work — no advanced scripts required.
