Illustration showing a red-hooded hacker with a skull icon, the Google logo, and a smartphone displaying a phone number, representing a security flaw that allows attackers to retrieve users' phone numbers

A significant security flaw in Google’s account recovery system enabled malicious actors to acquire the phone numbers of any Google user through a sophisticated brute-force attack, as disclosed by a BruteCat security researcher this week.

The vulnerability, which has since been resolved, exploited Google’s No-JavaScript username recovery form to circumvent security measures and extract sensitive personal information.

This issue was rooted in Google’s legacy username recovery system, which operated without JavaScript enabled. A security researcher found that this overlooked endpoint could be manipulated to verify whether specific phone numbers were linked to particular display names, creating an opportunity for systematic phone number enumeration.

The attack methodology involved three main steps: first, obtaining the target’s Google account display name via Looker Studio by transferring document ownership, which would leak the victim’s name without requiring any interaction.

Second, the attacker initiated Google’s password recovery process to retrieve a masked phone number hint, revealing only the last few digits. Finally, a custom-built tool named “gpb” was used to brute-force the complete phone number by testing combinations against the known display name, according to the BruteCat report.

Vulnerability Exposes Users’ Phone Numbers

The researcher managed to bypass Google’s rate-limiting protections through clever technical workarounds. By utilizing IPv6 address ranges, which provide over 18 quintillion unique IP addresses, the attack could rotate through different addresses for each request, effectively evading Google’s anti-abuse mechanisms.

Additionally, the researcher discovered that botguard tokens from JavaScript-enabled forms could be repurposed for the No-JS version, eliminating captcha challenges that would typically hinder automated attacks.

The attack proved to be remarkably efficient, with the researcher achieving around 40,000 verification attempts per second using a modest server costing \$0.30 per hour.

Depending on the country code, complete phone numbers could be extracted in timeframes ranging from just seconds for smaller countries like Singapore to approximately 20 minutes for the United States.

Google was informed of the vulnerability on April 14, 2025, and responded promptly by implementing temporary mitigations while working on a permanent fix.

The company fully deprecated the vulnerable No-JS username recovery form by June 6, 2025, effectively closing the attack vector.

Recognizing the severity of the discovery, Google initially awarded a bounty of \$1,337, which was later increased to \$5,000 after the researcher appealed, citing the attack’s lack of prerequisites and undetectable nature.

This incident underscores the ongoing security challenges posed by legacy systems and highlights the necessity for comprehensive security audits across all service endpoints, even those that may seem outdated or infrequently used.

give SEO for this