A new vulnerability discovered by security researcher, brutecat, allowed attackers to bruteforce the phone numbers of Google users with minimal effort.
This newly disclosed vulnerability, reported on June 9, 2025, exposed a flaw in Google's account recovery system. By exploiting a weakness in Google's non-JavaScript account recovery form, an attacker could systematically guess a target's phone number based on minimal information.
Using just a $0.30/hour server, the researcher achieved approximately 40,000 checks per second. For users in some countries, this meant their complete phone number could be discovered in mere seconds once their display name was known:
- Netherlands (+31): 15 seconds
- Singapore (+65): 5 seconds
- United Kingdom (+44): 4 minutes
- United States (+1): 20 minutes
The attack required two key pieces of information: the victim's Google account display name and a hint about their phone number (like the masked format shown in the forgot password flow). The researcher found a way to obtain both by exploiting Google's Looker Studio product, which leaked display names without requiring any interaction from the victim. Here's the video.
Google's response was initially lukewarm. The researcher notes: "Panel awards $1,337 + swag. Rationale: Exploitation likelihood is low. (lol)." After appealing this assessment, Google ultimately awarded a total of $5,000, acknowledging the issue's medium likelihood of exploitation.
Google has now "fully deprecated" the non-JavaScript username recovery form, closing this particular avenue of attack.
Previously:
• Fascinating, accessible guide to cryptographic attacks, from brute-force to POODLE and beyond
• Watch the Lockpicking Lawyer brute force a combination lock with a robot
• Brute-force iPhone password guesser can bypass Apple's 10-guess lockout
• XKCD on the password paradox: human factors versus computers' brute force
• Safe-cracking robot autodials combinations to brute-force a high-security safe
