A cybersecurity researcher recently identified a vulnerability that enabled the extraction of phone numbers associated with any Google account. This information is generally private and sensitive, as confirmed by both the researcher and independent testing by 404 Media.
The vulnerability has since been addressed by Google. However, at the time it presented a substantial privacy risk, allowing even less-resourceful attackers to access personal data through brute force techniques.
The researcher, using the pseudonym brutecat, expressed concern about the implications of this exploit, particularly for SIM swapping attacks. SIM swappers can hijack a victim’s phone number, allowing them to intercept calls and messages, which can facilitate unauthorized access to various online accounts.
During an investigation in mid-April, brutecat was provided with a personal Gmail address to test the vulnerability. Within approximately six hours, the researcher successfully disclosed the full phone number linked to the Google account.
Brutecat explained the brute-forcing process, which involves rapidly attempting multiple digit combinations until the correct phone number is identified. The researcher indicated that it takes about an hour to brute-force a U.S. phone number, while a UK number could potentially be compromised in as little as eight minutes. For other countries, the time required might be even shorter.
In a video detailing the exploit, brutecat outlined that an attacker must first obtain the target’s Google display name by transferring ownership of a document within Google’s Looker Studio. By inflating the document’s name to millions of characters, the target does not receive a notification of the transfer. The researcher then sends numerous requests to Google’s servers with guesses for the phone number until a successful match is found.
A spokesperson for Google affirmed that the issue had been rectified, emphasizing the importance of collaboration with the security research community through their vulnerability rewards program. The spokesperson also expressed gratitude to brutecat for highlighting the vulnerability, underscoring the role of such submissions in bolstering user safety.
Phone numbers play a critical role in SIM swapping attacks. Hackers have been known to exploit these vulnerabilities to gain access to significant user accounts, including cryptocurrency wallets and various online profiles. The FBI advises the public to refrain from sharing personal contact information on social media to mitigate these risks.
According to brutecat, Google awarded them $5,000 for their findings after initially classifying the vulnerability as low risk, which was later reassessed to medium. This incident serves as a reminder of the persistent threats posed by cyber adversaries and the critical need for organizations to prioritize cybersecurity measures to protect sensitive user information.
