Google fixes bugs that could reveal users’ private phone numbers

Without warning the owner, security researchers can discover bugs that can be exploited to reveal the private recovery phone numbers for almost any Google account, putting users at privacy and security risks.

Google confirmed with TechCrunch that it fixed a bug after researchers warned the company in April.

With independent researchers going with the handle brute cat I wrote about their findings on my blogHe told TechCrunch that by leveraging the bug in the company’s account recovery feature, you can obtain a recovery phone number for your Google account.

The exploit relied on a “attack chain” of several individual processes working in tandem, including leaking the full display name of the target account and bypassing the anti-bot protection mechanism Google implemented to prevent malicious spam in password reset requests. Bypassing rate limits ultimately allowed researchers to cycle through any possible permutations of Google account phone numbers in a short time, reaching the correct number.

By automating the attack chain with scripts, the researchers said it is possible to brute force the recovery phone number of the Google account owner within 20 minutes, depending on the length of the phone number.

To test this, TechCrunch set up a new Google account using a phone number that has never been used before and provided Brutecat with the email address of the new Google account.

After a while, Brutecat sent a message with the phone number we had set up.

“Bingo:),” the researcher said.

By revealing your private recovery phone number, even anonymous Google accounts can be exposed to target attacks such as attempts to acquire. Identifying a private phone number associated with someone’s Google account can make it easier for a skilled hacker to control that phone number. Sim Swap Attackfor example. By controlling that phone number, an attacker can reset the password for the account associated with that phone number by generating a password reset code sent to the phone.

Given the potential risks to the wider public, TechCrunch agreed to keep this story until the bug was fixed.

“This issue has been fixed. We have always emphasized the importance of working with the security research community through our vulnerability rewards program. We would like to thank the researchers for flagging this issue.” “Such researcher submissions are one of many ways to quickly find and fix the issue for the sake of user safety.”

Samra said the company “will not expose any direct links that have been confirmed at this time.”

Brutecat said Google paid $5,000 in bug prize money for their discovery.

https://www.youtube.com/watch?v=am3iplyz4sw

Flash News

Apple has finally added call and message screening. I say it’s better than never being late

Los Angeles, other sanctuary cities could see funds cut in the new House bill

This is what comes to Macos Tahoe

Keyshaun Davis self-destructs after receiving support from Michael Vick and Allen Iverson

Has the damage Elon Musk faced from his Trump feud just started?

Apple announces the Macos Tahoe 26 with liquid glass design, new continuity and spotlight features