A security researcher has discovered an error that could exploit to reveal the private recovery phone number almost any Google account without notifying its owner, possibly exposing users to privacy and security risks.
Google confirmed to TechCrunch that it has set the error after the researcher warned the company in April.
The independent researcher, who goes by the Brutecat handle and blogged their findingsHe told TechCrunch that they could obtain the recovery phone number of a Google Account, taking advantage of an error in the company’s account recovery mode.
The exploitation was based on a “attack chain” of many individual procedures that work in parallel, including the full display of a targeted account and bypassing a BOT protection mechanism implemented by Google to prevent malicious spamming. Bypassing the interest rate threshold eventually allowed the researcher to release through any possible transfer of the Google account phone number in a short period of time and reach the right digits.
By automating the attack chain with a scenario, the researcher said it was possible to inflate Google’s holder’s recovery phone number in 20 minutes or less, depending on the length of the phone number.
To try this, TechCrunch founded a new Google account with a phone number that had never been used before, then provided the Brutecat the new Google account address.
A little later, Brutecat sent messages with the phone number we had set.
“Bingo :),” the researcher said.
Revealing the private recovery phone number can even expose Google Anonymous Accounts to targeted attacks, such as redemption attempts. Identifying a private phone number associated with one’s Google account could make it easier for the specialized hackers to take control of this phone number through an SIM exchange attack, for example. By checking this phone number, the intruder may reset the password of any account associated with this phone number by creating password reset codes sent on this phone.
Given the potential danger to the general public, TechCrunch has agreed to keep this story until the error was corrected.
“This issue has always been determined the importance of cooperation with the Security Research Community through the susceptibility reward program and we would like to thank the researcher for signaling this issue,” Google Kimberly Samra spokesman said in Techcrunch. “Submissions of researchers like this are one of the many ways we can find quickly and correct issues for the safety of our users.”
Samra said the company has seen “not confirmed, direct links to exploit at the moment”.
Brutecat said Google paid $ 5,000 in a reward for the finding.
