A recently uncovered vulnerability could allow attackers to recover the phone number associated with a Google account by performing a brute-force attack.
The issue was discovered by a security researcher who goes by the alias “brutecat.” He found that a flaw in Google’s account recovery process made it possible to brute-force the phone number linked to any account.
The vulnerability stemmed from a now-outdated version of Google’s username recovery page that still functioned even when JavaScript was disabled. Importantly, this version lacked proper anti-abuse protections.
During a test, the researcher disabled JavaScript in his browser to see which Google services would still work. He noticed that the username recovery form continued to operate.
This form allowed users to determine whether a recovery phone number or email address was connected to a specific display name. It did so using two HTTP POST requests. The first submitted the phone number and returned a unique identifier called “ess.” The second, which used this identifier along with a display name like “John Smith,” would reveal whether the account existed by redirecting to either a “no account found” or a “challenge” page.
According to the researcher’s report, the username recovery form enabled users to verify if a specific display name was associated with a recovery contact.
The researcher explored whether this form could be brute-forced. Initial efforts were stopped by rate limiting and CAPTCHA requirements. He then attempted to bypass these restrictions using proxies and rotating IPv6 addresses. Although he created a proof-of-concept, using datacenter IPs always triggered CAPTCHA. Eventually, he discovered that by transferring a BotGuard token from the JavaScript-enabled version of the form to the JavaScript-disabled one, he could avoid these checks and successfully brute-force the last digits of phone numbers linked to certain display names. He used randomized last names to filter out false positives.
This flaw allowed attackers to bypass CAPTCHA limits and rapidly test number combinations, making it possible to uncover an account’s full phone number within seconds or minutes, depending on its length. It effectively enabled the abuse of Google’s recovery form to extract sensitive data connected to display names such as “John Smith.”
After developing a working proof of concept, the remaining hurdles included identifying the target’s country code and exact display name. The country code could be inferred from the masked number format shown by Google during password recovery, using reference patterns from the libphonenumbers database. Display names were more difficult to obtain, though one was exposed when a Looker Studio document was shared with the target account. With both the masked number and valid display name, the brute-force tool could reconstruct the full phone number by applying refined validation methods and BotGuard tokens.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
