Google addressed a critical security flaw that posed risks of exposing users' recovery phone numbers, discovered by a Singaporean researcher named 'brutecat'. The vulnerability stemmed from a deprecated JavaScript-disabled version of their username recovery form, which lacked essential protections against abuse. Attackers could exploit this by circumventing CAPTCHA limits and trying combinations rapidly. This enabled them to decipher phone numbers within seconds or minutes. The method also involved gathering display names and potentially using the password recovery feature to extract more information about the victims, indicating severe implications for user security.
Google has addressed a security vulnerability that could have allowed attackers to brute-force recovery phone numbers, posing significant privacy and security risks.
The vulnerability existed in a deprecated JavaScript-disabled version of the usernamerecovery form, which lacked sufficient anti-abuse protections.
By bypassing the CAPTCHA-based rate limits, attackers could rapidly test multiple phone number permutations, revealing the correct digits within a short time.
An attacker could exploit the forgot password process to learn the masked phone number and associated display name, increasing vulnerability.
Collection
[
|
...
]