Critical Google Bug Exposed User Phone Numbers: A Deep Dive
Discover how a recent Google bug allowed attackers to uncover user phone numbers, highlighting the importance of cybersecurity in protecting sensitive information.
TL;DR
A critical Google vulnerability allowed attackers to discover the phone numbers of almost any user by exploiting the account recovery process. The issue was promptly fixed, but it underscores the importance of robust cybersecurity measures to protect sensitive user information.
Critical Google Bug Exposed User Phone Numbers
Google recently addressed a significant security flaw that enabled attackers to retrieve the phone numbers of virtually any Google user. This vulnerability was discovered in the account recovery process, which typically allows users to regain access to their accounts using their phone numbers.
Discovery of the Vulnerability
A cybersecurity researcher known as Brutecat uncovered this issue. The researcher demonstrated that it was possible to figure out the phone number linked to any Google account, information that is usually private and considered sensitive.
Exploiting the Account Recovery Process
Brutecat found that the account recovery page lacked BotGuard protection. BotGuard is a cloud-based cybersecurity solution designed to protect websites from malicious bots and automated attacks. However, BotGuard relies on JavaScript for many of its advanced detection techniques. Since the recovery page did not use JavaScript, BotGuard was ineffective in this scenario.
Bypassing Security Measures
To exploit this vulnerability, Brutecat used rotating IP addresses and a method to bypass occasional CAPTCHAs. This approach allowed the researcher to manage around 40,000 requests per second. With this rate, if the attacker knew the country code of the phone number, it would take approximately 20 minutes in the US and 4 minutes in the UK to discover the recovery phone number. This discrepancy is due to the shorter phone numbers used in the UK.
Leveraging Partial Phone Number Hints
Google’s display of the last two digits of the phone number as a hint, combined with the use of Google’s own library ‘libphonenumber’ to generate valid number formats, significantly aided the attack.
Exploiting Looker Studio for Display Names
Additionally, the researcher discovered a method to leak Google account display names by exploiting a feature in Looker Studio (formerly Google Data Studio). By creating a document in Looker Studio and transferring its ownership to the victim’s Google account, the victim’s full name would appear on the Looker Studio homepage under “Recent documents,” even if the victim never interacted with the document.
Google’s Response
Google spokesperson Kimberly Samra confirmed to TechCrunch that the issue has been resolved:
“This issue has been fixed. We’ve always stressed the importance of working with the security research community through our vulnerability rewards program and we want to thank the researcher for flagging this issue. Researcher submissions like this are one of the many ways we’re able to quickly find and fix issues for the safety of our users.”
Google also stated that there are no confirmed reports of this vulnerability being exploited in the wild.
Implications for User Security
Despite the fix, this vulnerability highlights a significant risk for phishing and SIM-swapping attacks, especially since many users have their primary phone number as their account recovery number.
Safeguarding Your Digital Identity
Cybersecurity risks should never extend beyond a headline. Protect your—and your family’s—personal information by using identity protection.
For more details, visit the full article: source
Conclusion
The discovery and prompt resolution of this Google vulnerability underscore the ongoing importance of vigilant cybersecurity measures. Users must remain proactive in protecting their personal information to mitigate the risks associated with such vulnerabilities.