A vulnerability allowed researchers to brute-force any Google account’s restoration cellphone quantity just by realizing a their profile title and an simply retrieved partial cellphone quantity, creating a large danger for phishing and SIM-swapping assaults.
The assault methodology includes abusing a now-deprecated JavaScript-disabled model of the Google username restoration kind, which lacked trendy anti-abuse protections.
The flaw was found by safety researcher BruteCat, the identical one who demonstrated in February that it is doable to show the personal electronic mail addresses of YouTube accounts.
BruteCat instructed BleepingComputer that whereas the assault retrieves the cellphone quantity customers configured for the Google account restoration, this is identical because the account holder’s main cellphone quantity within the overwhelming majority of circumstances.
Brute-forcing Google numbers
BruteCat found that he may entry a legacy no-JavaScript username restoration kind, which gave the impression to be working as anticipated.
The shape allowed querying if a cellphone quantity was related to a Google account primarily based on a consumer’s profile show title (“John Smith”) through two POST requests.
The researcher bypassed the rudimentary rate-limiting defenses on the shape through the use of IPv6 handle rotation to generate trillions of distinctive supply IPs through /64 subnets for these requests.
The CAPTCHAs displayed by many requests have been bypassed by substituting the ‘bgresponse=js_disabled’ parameter with a legitimate BotGuard token from the JS-enabled kind.
Supply: BruteCat
With the method set, BruteCat developed a brute-forcing instrument (gpb) that iterates by means of quantity ranges utilizing country-specific codecs and filters false positives.
The researcher used Google’s ‘libphonenumber’ to generate legitimate quantity codecs, constructed a rustic masks database to determine cellphone codecs by area, and wrote a script to generate BotGuard tokens through headless Chrome.
On a brute-forcing price of 40,000 requests per second, US numbers would take about 20 minutes, UK 4 minutes, and the Netherlands lower than 15 seconds.
.jpg)
Supply: BruteCat
To begin an assault towards somebody, their electronic mail handle is required for the shape, however Google has set this to hidden since final yr.
BruteCat discovered he may retrieve it by making a Looker Studio doc and transferring possession to the goal’s Gmail handle.
As soon as possession is transferred, the goal’s Google show title seems on the doc creator’s Looker Studio dashboard, requiring zero interplay with the goal.
Armed with this electronic mail handle, they may carry out repeated queries to find out all cellphone numbers related to the profile title.
Nonetheless, as there might be 1000’s of accounts with the identical profile title, the researcher narrowed it down utilizing the goal’s partial quantity.
To get a partial cellphone quantity for the consumer, the researcher utilized Google’s “account restoration” workflow, which is able to show two digits of a configured restoration cellphone quantity.
“This time may also be considerably diminished by means of cellphone quantity hints from password reset flows in different companies akin to PayPal, which give a number of extra digits (ex. +14•••••1779)”, explains BruteCat.
The leaking of cellphone numbers related to a Google account may cause a large safety danger to customers, who can then be focused in focused vishing assaults or SIM swap assaults.
An illustration of exploiting this flaw might be seen within the video under.
Bug mounted
BruteCat reported his findings to Google through the tech large’s Vulnerability Reward Program (VRP) on April 14, 2025.
Google initially thought-about the exploitability danger low, however on Might 22, 2025, it upgraded the difficulty to “medium severity,” making use of interim mitigations and paying the researcher a reward of $5,000 for the disclosure.
On June 6, 2025, Google confirmed that it had totally deprecated the susceptible no-JS restoration endpoint.
The assault vector is now not exploitable, however whether or not or not it was ever maliciously exploited stays unknown.
Patching used to imply advanced scripts, lengthy hours, and countless fireplace drills. Not anymore.
On this new information, Tines breaks down how trendy IT orgs are leveling up with automation. Patch quicker, scale back overhead, and deal with strategic work — no advanced scripts required.
