Researchers found a way to reveal phone numbers linked to Google accounts
Cybersecurity researcher Researchers, Google, and 404 Media’s own tests have shown that they were able to grasp the phone numbers linked to their Google accounts.
That issue has been fixed, but at the time it presented a privacy issue that could force people to the path to personal information, even hackers with relatively few resources.
“I think this exploit is pretty bad because it’s basically a Sim Swappers gold mine,” wrote an independent security researcher who discovered the issues he goes to with Handle Brutecat in an email. Sim Swappers are hackers Take over the target phone number You will be able to split up all kinds of accounts to receive calls and texts.
In mid-April, I provided Brutecat with one of my personal Gmail addresses to test for vulnerabilities. About six hours later, Brutecat responded with the correct phone number and full phone number linked to that account.
“Essentially, it’s breaking numbers,” Brutecat said of their process. Brute forced is when a hacker tries to quickly use different combinations of numbers and letters until the hacker finds his purpose. Normally it’s in the context of finding someone’s password, but here Brutecat does the same thing to determine the phone number of a Google user.
Brutecat said in email that the US number takes about an hour and eight minutes for the UK. In other countries, they said it can take up to a minute.
In the accompanying video showing the exploit, Brutecat explains that the attacker needs the target Google display name. They find this by first transferring ownership of the document from Google’s Looker Studio products to the target, the video says. They say they changed the name of the document to millions of characters, which means that the target is not notified of the ownership switch. Use some custom code Details in their writingBrutecat plays Google guessing the phone number until it hits.
“No victims have been notified at all :)” video caption reads.
A Google spokesman told 404 media, “This issue has been fixed. We would like to thank the researchers for flagging this issue, as they constantly emphasized the importance of working with the security research community through our vulnerability rewards programme.
Your phone number is important information about Sim Swappers. These types of hackers are Steal your online username Or cryptocurrency. But sophisticated Sim Swappers are also escalating to the targets of large enterprises. I have some I worked directly with ransomware gangs From Eastern Europe.
Armed with a phone number, the SIM swapper can impersonate the victim and convince the telecom to reroute the text message to the SIM card. From there, hackers can request a password reset text message, or a multifactor authentication code, and log in to the victim’s valuable account. This can include the emails that are accounts that store cryptocurrency or accounts that cause further damage.
The FBI recommends on its website that people do not publish their phone numbers for this reason. “We protect your personal and financial information. Do not advertise any phone number, address or financial assets, including ownership or investments in cryptocurrency on social media sites.” The site will read.
In their article, Brutecat said Google awarded them $5,000 and some stolen items for their discoveries. Initially, Google marked the vulnerability as low as exploitation. According to an article in Brutecat, the company later upgraded the possibility to a medium.