A critical security vulnerability in Google’s account recovery system could have allowed attackers to uncover phone numbers linked to any Google account. The issue, which was responsibly disclosed by Singapore-based cybersecurity researcher known as “brutecat,” has now been patched by Google following the report.
The flaw, which affected a now-deprecated version of the username recovery page, posed a serious risk to user privacy and account security. It enabled attackers to brute-force recovery phone numbers associated with Google accounts and potentially use them for SIM-swapping attacks or phishing campaigns.
The Vulnerability
The security loophole was discovered in a JavaScript-disabled version of Google’s username recovery page:accounts.google[.]com/signin/usernamerecovery.
This page was originally designed to help users recover their Google usernames by checking if a recovery email address or phone number was linked to a particular display name (e.g., “John Smith”). However, the outdated version lacked standard anti-abuse protections such as CAPTCHAs or rate-limiting, making it vulnerable to automated attacks.
The researcher outlined a three-step method that could be used to exploit the flaw:
Obtain the User’s Display Name
By creating a Looker Studio report and transferring ownership to a target email address, an attacker could trigger a notification that displays the victim’s full name on their Google homepage.Reveal Part of the Phone Number
Using Google’s “Forgot Password” feature, attackers could initiate a password reset for a target email address. This would show a masked version of the linked recovery phone number, revealing the last two digits (e.g., •• ••••••03) and the country code.Brute-Force the Full Phone Number
With the last two digits known and a rough idea of the number’s length, the attacker could then use automated scripts to try various combinations on the outdated recovery page. Since this version lacked CAPTCHA and throttling, it was possible to guess the full number in seconds or minutes, depending on the country.
For example, the researcher found that a Singapore-based phone number could be brute-forced in just 5 seconds, while a U.S. number might take around 20 minutes to unmask.
Once an attacker knows the phone number linked to a Google account, they can try more advanced attacks such as:
SIM Swapping: By convincing a mobile carrier to transfer the number to a new SIM card, the attacker gains control of SMS-based verification messages, allowing them to reset passwords for associated services.
Phishing or Social Engineering: Knowing someone’s personal number and display name can make fake messages seem more credible.
This vulnerability could have put millions of users worldwide at risk, especially those relying on their phone number as a primary recovery method for sensitive accounts.
Google Responds with a Fix
After receiving the report on April 14, 2025, Google investigated and acknowledged the flaw. On June 6, 2025, the tech giant took decisive action by completely removing the non-JavaScript version of the username recovery page, effectively eliminating the attack vector.
For the discovery, Google awarded the researcher a $5,000 bug bounty under its Vulnerability Reward Program.
This isn’t brutecat’s first major security find. Over the past year, the researcher has disclosed several significant flaws in Google’s ecosystem:
YouTube Channel Email Leak (January 2025)
By chaining a vulnerability in the YouTube API and an outdated Pixel Recorder API, brutecat demonstrated a way to extract the email addresses of any YouTube channel owner. This flaw earned a $10,000 reward from Google.YouTube Partner Program Exploit (March 2025)
Another bug in the/get_creator_channelsendpoint allowed unauthorized access to thecontentOwnerAssociationfield. By using the Content ID API, an attacker could expose email addresses and monetization details of over 3 million channels in the YouTube Partner Program (YPP).
Google confirmed the issue as an access control vulnerability, rewarding the researcher $20,000.
“An attacker with access to a single Google account linked to a YouTube Partner channel could potentially reveal the email and revenue details of any other YPP creator. This could break anonymity and lead to phishing or harassment,” Google explained in its report.
This series of findings highlights ongoing concerns about how legacy systems and outdated endpoints can expose even the most secure platforms to cyber threats. In this case, Google’s swift action and transparent response show the value of coordinated vulnerability disclosure.
For users, it’s a reminder to avoid using phone numbers as sole recovery methods and to enable 2-factor authentication (2FA) via more secure channels like hardware tokens or authentication apps.
From an enterprise and cybersecurity perspective, regular audits of deprecated systems and APIs are critical. Security through obscurity like hiding phone numbers or emails can no longer be relied upon when attackers have increasingly clever ways to extract that data.
Interesting Article : CVE-2025-24016, Two Botnets Hijack Wazuh Servers in Latest Mirai Malware Wave
Pingback: CISA Warns of SinoTrack GPS Security Bug Allowing Track & Disable Cars