Google Vulnerability Let Attackers Access Any Google User Phone Number

A critical security vulnerability in Google’s account recovery system allowed malicious actors to obtain the phone numbers of any Google user through a sophisticated brute-force attack, according to a disclosure by a BruteCat security researcher published this week.

The vulnerability, which has since been patched, exploited Google’s No-JavaScript username recovery form to bypass security protections and extract sensitive personal information.

The vulnerability centered on Google’s legacy username recovery system that functioned without JavaScript enabled. A security researcher discovered that this forgotten endpoint could be manipulated to verify whether specific phone numbers were associated with particular display names, creating an opportunity for systematic phone number enumeration.

The attack methodology involved three key steps: first, obtaining a target’s Google account display name through Looker Studio by transferring document ownership, which would leak the victim’s name without any interaction required.

Second, initiating Google’s forgot password flow to retrieve a masked phone number hint, showing only the last few digits. Finally, using a custom-built tool called “gpb” to brute-force the complete phone number by testing combinations against the known display name, reads the BruteCat report.

Vulnerability Leaks Users’ Phone Numbers

The researcher overcame Google’s rate-limiting protections through clever technical workarounds. By utilizing IPv6 address ranges providing over 18 quintillion unique IP addresses, the attack could rotate through different addresses for each request, effectively bypassing Google’s anti-abuse mechanisms.

Additionally, the researcher discovered that botguard tokens from JavaScript-enabled forms could be repurposed for the No-JS version, eliminating captcha challenges that would otherwise prevent automated attacks.

The attack proved remarkably efficient, with the researcher achieving approximately 40,000 verification attempts per second using a modest $0.30/hour server.

Depending on the country code, complete phone numbers could be extracted in timeframes ranging from mere seconds for smaller countries like Singapore to around 20 minutes for the United States.

Google was notified of the vulnerability on April 14, 2025, and responded quickly by implementing temporary mitigations while working toward a permanent solution.

The company fully deprecated the vulnerable No-JS username recovery form by June 6, 2025, effectively eliminating the attack vector.

Google recognized the severity of the discovery, initially awarding $1,337 before increasing the bounty to $5,000 after the researcher appealed, citing the attack’s lack of prerequisites and undetectable nature.

This incident highlights the ongoing security challenges posed by legacy systems and the importance of comprehensive security audits across all service endpoints, even those seemingly obsolete or rarely used.

Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests