Detailed Briefing: Google Account Recovery Bug Exposing Private Phone Numbers
Date: June 9, 2025 (Bug Fix Confirmed) / July 15, 2025 (TechCrunch Article Publication)
Source: Excerpts from "Google fixes bug that could reveal users' private phone numbers | TechCrunch" by Zack Whittaker.
I. Executive Summary
A critical security bug in Google's account recovery feature was discovered by an independent security researcher, "brutecat," which allowed for the exposure of private recovery phone numbers associated with nearly any Google account. This vulnerability posed significant privacy and security risks, including enabling targeted attacks like SIM swap attempts. Google has confirmed the fix for this bug in April 2025, after being alerted by the researcher, and states they have seen "no confirmed, direct links to exploits at this time." The researcher received a $5,000 bug bounty reward.
II. Key Themes & Most Important Ideas/Facts
Nature of the Vulnerability:
Exposure of Private Recovery Phone Numbers: The core issue was the ability to reveal the "private recovery phone number of almost any Google account without alerting its owner." This is a significant privacy breach as these numbers are intended to be secure and confidential.
Exploitation through Account Recovery Feature: The bug was specifically located within Google's account recovery mechanism.
"Attack Chain" Methodology: The exploit was not a single flaw but relied on an "attack chain" of several individual processes working together.
Leaking Display Name: One component involved "leaking the full display name of a targeted account."
Bypassing Anti-bot Protection/Rate Limit: A crucial step was "bypassing an anti-bot protection mechanism that Google implemented to prevent the malicious spamming of password reset requests." This bypass of the "rate limit ultimately allowed the researcher to cycle through every possible permutation of a Google account’s phone number in a short space of time and arrive at the correct digits."
Automated Brute-Force Capability: The researcher confirmed it was possible to "automate the attack chain with a script" to "brute-force a Google account owner’s recovery phone number in 20 minutes or less, depending on the length of the phone number." TechCrunch independently verified this by providing an email and receiving the associated phone number back from brutecat.
Potential Risks and Consequences:
Targeted Attacks: Revealing the recovery phone number "can expose even anonymous Google accounts to targeted attacks."
Account Takeover Attempts: A primary risk is "takeover attempts" of user accounts.
SIM Swap Attacks: Identifying a private phone number "could make it easier for skilled hackers to take control of that phone number through a SIM swap attack."
Cascading Security Failures: With control of the phone number (via SIM swap), an attacker "can reset the password of any account associated with that phone number by generating password reset codes sent to that phone," leading to a broader compromise of a user's online presence.
Google's Response and Remediation:
Bug Fixed: Google "confirmed to TechCrunch that it fixed the bug after the researcher alerted the company in April."
Collaboration with Security Researchers: Google emphasized the importance of its "vulnerability rewards program" and thanked the researcher for "flagging this issue."
No Confirmed Exploits: Google spokesperson Kimberly Samra stated, "This issue has been fixed. We’ve always stressed the importance of working with the security research community through our vulnerability rewards program and we want to thank the researcher for flagging this issue." Samra also said, "the company has seen 'no confirmed, direct links to exploits at this time.'"
Bug Bounty Payout: Brutecat confirmed Google "paid $5,000 in a bug bounty reward for their finding."
Responsible Disclosure: TechCrunch "agreed to hold this story until the bug could be fixed," demonstrating a commitment to responsible disclosure practices to protect users.
III. Stakeholder Implications
Google: Demonstrates the effectiveness of its bug bounty program and its commitment to fixing vulnerabilities quickly once identified. It also highlights the ongoing need for robust security measures, particularly around sensitive features like account recovery, and the challenge of anticipating complex "attack chains."
Google Users: While the bug is now fixed, it serves as a reminder of the inherent risks associated with online accounts and the importance of monitoring security notifications. The fact that numbers could be exposed "without alerting its owner" is particularly concerning.
Security Researchers: Reinforces the value of independent security research in identifying and responsibly disclosing vulnerabilities, earning both recognition (and payment) for their efforts and contributing to broader online safety. The $5,000 bounty reflects Google's valuation of such critical findings.
Cybersecurity Community: This case provides a valuable example of how seemingly small bypasses (like rate limits) can be combined into a powerful exploit, emphasizing the need for defense-in-depth strategies and the complexity of modern attack vectors.