211/68 Thursday, June 12, 2025
Google has patched a significant security vulnerability that could have exposed users’ recovery phone numbers. The flaw allowed malicious actors to brute-force the recovery phone number associated with a Google account using only partial information—such as the account’s display name and a few known digits of the phone number. This posed a serious risk for phishing attacks and SIM swap fraud. The vulnerability was rooted in an outdated version of Google’s username recovery form that lacked JavaScript and modern security protections. Although this version has since been retired, it remained accessible until recently.
The vulnerability was discovered by cybersecurity researcher BruteCat, who previously demonstrated a method to reveal private email addresses linked to YouTube accounts earlier in February. BruteCat explained that in most cases, the recovery number was in fact the user’s main phone number. He found that the non-JavaScript recovery form could still process POST requests to check if a phone number matched a Google profile name (e.g., “John Smith”). By rotating through a vast number of IPv6 addresses using a /64 subnet, BruteCat bypassed request limits. He also circumvented CAPTCHA by replacing the parameter 'bgresponse=js_disabled' with a valid BotGuard token taken from a JavaScript-enabled form. These techniques allowed him to build a brute-force tool (named gpb) that could cycle through number ranges using country-specific formats and filter out false positives.
BruteCat reported the issue to Google on April 14, 2025, via its Vulnerability Reward Program (VRP). Initially, Google assessed the risk as low. However, on May 22, 2025, the company upgraded the severity to “medium,” implemented interim mitigation measures, and awarded BruteCat $5,000 for the disclosure. On June 6, 2025, Google confirmed that it had fully decommissioned the vulnerable non-JS recovery endpoint, closing off this attack vector entirely. While there is no public evidence the vulnerability was exploited in the wild, its remediation significantly reduces the risk of targeted cyberattacks involving exposed phone numbers.
