Security Researcher Uncovers Vulnerability Allowing Phone Number Exposure of Google Accounts

Google recently patched a vulnerability in its account recovery system that could have allowed attackers to guess users' recovery phone numbers. The flaw was found in an outdated, JavaScript-free username recovery form that lacked protections like CAPTCHA and rate-limiting, making it vulnerable to brute-force attacks. Singaporean researcher brutecat demonstrated that attackers could determine a phone number in seconds or minutes and potentially launch SIM-swapping attacks to hijack accounts.

The issue was reported to Google on April 14, 2025, and fixed on June 6, 2025. Google rewarded the researcher with $5,000.

Earlier, brutecat also discovered other significant vulnerabilities:

- A $10,000 flaw exposing YouTube channel owners' emails via API abuse.

- A $20,000 flaw in the /get_creator_channels endpoint that could reveal sensitive information of over 3 million YouTube Partner Program creators.

These vulnerabilities highlight the growing risks associated with digital platforms.

Stay secure — stay Wavasec. 🔐