Google Account Vulnerability Exposed Users’ Phone Numbers Through Legacy Recovery System

A critical security vulnerability in Google’s account recovery system could have allowed attackers to brute-force and expose the private phone numbers of any Google user. The flaw, discovered by security researcher “BruteCat” in April 2025, exploited a legacy JavaScript-disabled version of Google’s username recovery form that lacked modern security protections.

 Understanding the Vulnerability

The vulnerability centered on Google’s forgotten password recovery system that continued to function even when JavaScript was disabled in web browsers. This legacy endpoint, originally designed for users with limited browser capabilities, had been largely forgotten but remained active and accessible to attackers.

The attack worked by exploiting a three-step process that allowed systematic enumeration of phone numbers. First, attackers needed to obtain the target’s Google account display name, which could be leaked through Google’s Looker Studio by creating documents and transferring ownership to victims without any interaction required. Second, the standard forgot password flow provided masked phone number hints showing only the last few digits, such as “•• ••••••03” for Netherlands numbers. Finally, using a custom tool called “gpb,” attackers could systematically brute-force phone numbers by testing combinations against the known display name.

The researcher discovered that Google’s rate limiting protections could be bypassed by using different IPv6 addresses for each request, combined with BotGuard tokens obtained from Google’s JavaScript-enabled forms. This allowed approximately 40,000 verification attempts per second using consumer-grade hardware costing just $0.30 per hour.

(Google Phone Disclosure – Source: Brutecat)

 Attack Timeline and Execution

The vulnerability was particularly dangerous because it required no prerequisites and could not be detected by victims. Depending on the country, phone numbers could be exposed in seconds to minutes. Singapore numbers took only 5 seconds to crack, Netherlands numbers required 15 seconds, UK numbers took 4 minutes, and US numbers needed about 20 minutes.

The attack methodology involved creating HTTP requests to Google’s recovery system, first submitting a phone number to generate an “ess” value, then using that value along with a guessed display name to determine whether the combination matched a valid Google account. By observing redirect behavior to either “no accounts found” or challenge pages, attackers could systematically identify correct phone numbers.

 The Researcher’s Discovery Process

BruteCat discovered this vulnerability while experimenting with JavaScript-disabled browsing to test which Google services still functioned without modern web technologies. The researcher was surprised to find that the username recovery form remained operational, as similar forms had supposedly required JavaScript since 2018 due to anti-abuse protections.

The initial discovery process involved mapping Google’s recovery endpoints and identifying that the system used masked phone number formats based on libphonenumbers’ national formatting for each country. This allowed the researcher to determine country codes and optimize brute-force attempts by focusing only on valid mobile phone prefixes and area codes for specific regions.

 Google’s Response and Mitigation

Google was notified of the vulnerability on April 14, 2025, and responded quickly by implementing temporary mitigations while working toward a permanent solution. Initially, Google assessed the exploitability risk as low and awarded $1,337, but after the researcher appealed and provided additional evidence about the attack’s lack of prerequisites and undetectable nature, the company upgraded the severity to medium and increased the reward to $5,000.

By June 6, 2025, Google had fully deprecated the vulnerable No-JavaScript username recovery form globally, effectively eliminating the attack vector. The company confirmed there were no confirmed direct links to malicious exploitation of this vulnerability in the wild.

 Security Implications and Risks

The exposure of phone numbers creates significant security risks beyond simple privacy violations. Armed with a target’s phone number, attackers could launch sophisticated social engineering attacks, including vishing (voice phishing) campaigns that appear more legitimate because they possess verified contact information. More seriously, the leaked phone numbers could enable SIM-swapping attacks, where criminals convince mobile carriers to transfer a victim’s phone number to a device they control.

SIM-swapping attacks are particularly dangerous because phone numbers are commonly used as secondary authentication factors for many online services. Once attackers control a victim’s phone number, they can potentially reset passwords and gain access to email accounts, financial services, social media platforms, and other critical online accounts that rely on SMS-based two-factor authentication.

The vulnerability also highlighted ongoing security challenges posed by legacy systems that may lack modern protections while remaining accessible to attackers. Many organizations maintain older endpoints or interfaces for compatibility reasons without ensuring they meet current security standards.

 Lessons for Organizations

This incident demonstrates several important security principles that organizations should consider. Legacy systems and forgotten endpoints can become significant attack vectors if they’re not properly maintained or deprecated. Regular security audits should include comprehensive reviews of all accessible endpoints, even those that seem obsolete or rarely used.

The vulnerability also illustrates how seemingly innocuous features, like display name leaks through document sharing, can become critical components of more complex attack chains. Security teams should consider how different features and data exposures might be combined by sophisticated attackers.

Rate limiting and anti-abuse protections must be implemented consistently across all interfaces, not just primary user-facing applications. The researcher’s ability to bypass protections using IPv6 address rotation shows that traditional IP-based rate limiting may be insufficient against determined attackers with access to large address spaces.

 How CinchOps Can Help

At CinchOps, we understand that vulnerabilities like this Google phone number exposure represent just one piece of a much larger cybersecurity puzzle facing modern businesses. While individual companies cannot prevent vulnerabilities in major platforms like Google, they can implement comprehensive security strategies that minimize risk and impact when such issues arise.

Our team of seasoned IT security professionals provides multiple layers of protection for your business:

• Multi-Factor Authentication Implementation: We deploy enterprise-grade MFA solutions that don’t rely solely on SMS or phone-based verification, reducing your exposure when phone numbers are compromised
• Identity and Access Management: Our IAM solutions ensure that even if individual accounts are compromised, attackers cannot easily move laterally through your systems
• Security Awareness Training: We educate your employees about social engineering attacks that often follow data exposures like phone number leaks
• Incident Response Planning: Our team helps you develop and test response procedures for when employee accounts are compromised or when major platform vulnerabilities are discovered
• Advanced Threat Monitoring: We implement 24/7 monitoring systems that can detect unusual account access patterns that might indicate compromise following data exposure
• Email Security Solutions: Since this attack required email addresses as starting points, we deploy advanced email filtering and protection to prevent your corporate email addresses from being easily harvested
• Risk Assessment Services: We regularly evaluate your organization’s exposure to various attack vectors and help prioritize security investments
• Backup Authentication Methods: We help implement redundant authentication systems so your business operations aren’t disrupted when primary authentication methods are compromised
• Dark Web Monitoring: Our services include monitoring for your corporate data on dark web marketplaces where compromised information is often sold

With over three decades of experience in enterprise IT security, CinchOps understands that protection requires a holistic approach combining technology, processes, and human awareness. We work with you to build resilient systems that can withstand not just known threats, but also the zero-day vulnerabilities and attack methods that emerge in our rapidly evolving threat environment.

 Discover More 

Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics: Check Point Software Cyber Attack Report Q1 2025 Shows Nearly 50% Surge
For Additional Information on this topic:  Bruteforcing the Phone Number of Any Google User

FREE CYBERSECURITY ASSESSMENT