A white-hat hacker, dubbed Brutecat, uncovered a significant vulnerability in Google's authentication system, which exposes users' mobile numbers via brute-force attacks. This flaw allows anyone with a victim's email to access their phone number linked to their Google account, facilitating potential SIM-swapping threats. By exploiting the account recovery process and utilizing cloud resources, Brutecat demonstrated how the security oversight can be breached with minimal effort. They managed to develop a tool that effectively reveals obscured phone numbers, raising serious concerns about user privacy and account security on Google's platform.
This Google exploit I disclosed just requires the email address of the victim and you can get the phone number tied to the account.
After looking through random Google products, I found that I could create a Looker Studio document, transfer ownership of it to the victim, and the victim's display name would leak on the home page, with 0 interaction required from the victim.
Collection
[
|
...
]