Google has successfully patched a critical vulnerability that allowed attackers to discover phone numbers linked to Google accounts through a brute-force method. This flaw, if exploited, could have exposed users to significant privacy and security risks, including SIM swap attacks and identity theft. The issue was responsibly disclosed by a security researcher, leading to a swift resolution by Google.

Google Patches Critical Phone Number Brute-Force Flaw

Google recently addressed a significant security vulnerability that could have allowed malicious actors to uncover private phone numbers associated with almost any Google account. The flaw was identified and reported by an independent security researcher known as "brutecat" in April 2025. Google confirmed the fix in June 2025, emphasizing its commitment to user safety and collaboration with the security research community.

How The Vulnerability Worked

The exploit was not a single flaw but rather an "attack chain" leveraging several components:

• Legacy Form Exploitation: The attack primarily abused a now-deprecated, JavaScript-disabled version of Google's username recovery form. This older form lacked modern anti-abuse protections, making it susceptible to brute-force attempts.

• Display Name Leakage: The researcher found a method to obtain a target's full Google display name by transferring ownership of a Looker Studio document to the victim's Gmail address, causing the name to appear on the attacker's dashboard.

• Partial Phone Number Hints: Google's account recovery workflow, specifically the "Forgot Password" feature, would display two digits of a configured recovery phone number, providing a crucial hint for the brute-force process.

• Bypassing Rate Limits: The researcher bypassed rudimentary rate-limiting defenses by rotating IPv6 addresses and substituting a parameter with a valid BotGuard token from the JavaScript-enabled form.

By combining these techniques, brutecat developed a script that could brute-force a Google account owner's recovery phone number in a short amount of time, ranging from seconds for Singaporean numbers to approximately 20 minutes for U.S. numbers.

Potential Risks and Google's Response

Revealing a private recovery phone number could lead to severe consequences for users, including:

• SIM Swap Attacks: Attackers could use the phone number to perform a SIM swap, gaining control of the number and subsequently resetting passwords for other accounts linked to it.

• Targeted Phishing and Vishing: The exposed number could be used for highly personalized phishing or vishing (voice phishing) attacks.

• Identity Theft: With a phone number and other publicly available information, identity theft becomes a greater risk.

Google acknowledged the issue and, after responsible disclosure, paid brutecat a $5,000 bug bounty. The company stated that it had seen "no confirmed, direct links to exploits at this time" and fully deprecated the vulnerable no-JavaScript recovery endpoint by June 6, 2025, rendering the attack vector unexploitable.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Google fixes bug that could reveal users' private phone numbers, TechCrunch.

• A problem was discovered where phone numbers linked to Google accounts could be found by brute force -GIGAZINE, GIGAZINE.

• Google patched bug leaking phone numbers tied to accounts, BleepingComputer.

• Researcher Found Flaw to Discover Phone Numbers Linked to Any Google Account, The Hacker News.

• This Google account vulnerability could have revealed your phone number, Yahoo.