Cloud brute-force attack cracks Google users' phone numbers in minutes
(2025/06/10)
- Reference: 1749557706
- News link: https://www.theregister.co.uk/2025/06/10/google_brute_force_phone_number/
- Source link:
A researcher has exposed a flaw in Google's authentication systems, opening it to a brute-force attack that left users' mobile numbers up for grabs.
The security hole, [1]discovered by a white-hat hacker operating under the handle Brutecat, left the phone numbers of any Google user who'd logged in open to exposure. The issue was a code slip that allowed brute-force attacks against accounts, potentially enabling SIM-swapping attacks.
"This Google exploit I disclosed just requires the email address of the victim and you can get the phone number tied to the account," Brutecat told The Register .
[2]
Brutecat found that Google's account recovery process provided partial phone number hints, which could be exploited. By using cloud services and a Google Looker Studio account, the attacker was able to bypass security systems and launch a brute-force attack.
[3]
[4]
They explained in the post that "after looking through random Google products, I found out that I could create a Looker Studio document, transfer ownership of it to the victim, and the victim's display name would leak on the home page, with 0 interaction required from the victim."
The researcher also found an old-school username recovery form that worked without Javascript, which allowed them to check if a recovery email or phone number was associated with a specific display name using 2 HTTP requests.
[5]
After this, they could go "through forgot password flow for that email and get the masked phone."
Finally, a brute-forcing tool they developed as gpb would run with the display name and masked phone to unmask the phone number, using [6]real-time libphonenumber validation to filter out invalid number queries made to Google's API.
You can see the full process below.
[7]
[8]Youtube Video
By setting up the Looker account using a Google account name, and hiring enough cloud resources to send out false requests, the hacker was able to deduce the phone number in a remarkably short time.
Netherlands (+31): 15 seconds
Singapore (+65): 5 seconds
UK (+44): 4 minutes
US (+1): 20 minutes
"I found the flaw as it was quite surprising that they had account recovery forms that worked without JavaScript, since their anti-abuse system wouldn't work without JavaScript," Brutecat told The Register .
"Specifically, it was the fact that they were doing it per IP address limiting. But with IPv6, it's extremely easy to get your hands on trillions of IP addresses. They also had a check if you're hitting the endpoint from a dead center IP but I was able to overcome this by using a bot guard token from JavaScript."
[9]IBM Cloud login breaks for second time this week and Big Blue isn't saying why
[10]Crooks fleece The North Face accounts with recycled logins
[11]Billions of cookies up for grabs as experts warn over session security
[12]New Russian cyber-spy crew Laundry Bear joins the email-stealing pack
Surprisingly, Google didn't consider this a serious flaw, awarding Brutecat $5,000 under its bug bounty scheme.
"Google was pretty receptive and promptly patched the bug," the researcher said. "By depreciating the whole form compared to my other disclosures, this was done much more quickly. That being said, the bounty is pretty low when taking into account the impact of this bug."
"This issue has been fixed," a Google spokesperson told us. "We've always stressed the importance of working with the security research community through our vulnerability rewards program and we want to thank the researcher for flagging this issue. Researcher submissions like this are one of the many ways we're able to quickly find and fix issues for the safety of our users." ®
Get our [13]Tech Resources
[1] https://brutecat.com/articles/leaking-google-phones
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aEhWll6-MsYpXT5Ifr3GIgAAAZQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aEhWll6-MsYpXT5Ifr3GIgAAAZQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aEhWll6-MsYpXT5Ifr3GIgAAAZQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aEhWll6-MsYpXT5Ifr3GIgAAAZQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://github.com/ddd/gpb/blob/main/src/workers/workers.rs#L63
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aEhWll6-MsYpXT5Ifr3GIgAAAZQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.youtube.com/watch?v=aM3ipLyz4sw
[9] https://www.theregister.com/2025/06/05/ibm_cloud_outage_critical_vulnerability/
[10] https://www.theregister.com/2025/06/03/north_face_credential_stuffing/
[11] https://www.theregister.com/2025/05/29/billions_of_cookies_available/
[12] https://www.theregister.com/2025/05/27/new_russian_cyberspy_crew_laundry_bear/
[13] https://whitepapers.theregister.com/
The security hole, [1]discovered by a white-hat hacker operating under the handle Brutecat, left the phone numbers of any Google user who'd logged in open to exposure. The issue was a code slip that allowed brute-force attacks against accounts, potentially enabling SIM-swapping attacks.
"This Google exploit I disclosed just requires the email address of the victim and you can get the phone number tied to the account," Brutecat told The Register .
[2]
Brutecat found that Google's account recovery process provided partial phone number hints, which could be exploited. By using cloud services and a Google Looker Studio account, the attacker was able to bypass security systems and launch a brute-force attack.
[3]
[4]
They explained in the post that "after looking through random Google products, I found out that I could create a Looker Studio document, transfer ownership of it to the victim, and the victim's display name would leak on the home page, with 0 interaction required from the victim."
The researcher also found an old-school username recovery form that worked without Javascript, which allowed them to check if a recovery email or phone number was associated with a specific display name using 2 HTTP requests.
[5]
After this, they could go "through forgot password flow for that email and get the masked phone."
Finally, a brute-forcing tool they developed as gpb would run with the display name and masked phone to unmask the phone number, using [6]real-time libphonenumber validation to filter out invalid number queries made to Google's API.
You can see the full process below.
[7]
[8]Youtube Video
By setting up the Looker account using a Google account name, and hiring enough cloud resources to send out false requests, the hacker was able to deduce the phone number in a remarkably short time.
Netherlands (+31): 15 seconds
Singapore (+65): 5 seconds
UK (+44): 4 minutes
US (+1): 20 minutes
"I found the flaw as it was quite surprising that they had account recovery forms that worked without JavaScript, since their anti-abuse system wouldn't work without JavaScript," Brutecat told The Register .
"Specifically, it was the fact that they were doing it per IP address limiting. But with IPv6, it's extremely easy to get your hands on trillions of IP addresses. They also had a check if you're hitting the endpoint from a dead center IP but I was able to overcome this by using a bot guard token from JavaScript."
[9]IBM Cloud login breaks for second time this week and Big Blue isn't saying why
[10]Crooks fleece The North Face accounts with recycled logins
[11]Billions of cookies up for grabs as experts warn over session security
[12]New Russian cyber-spy crew Laundry Bear joins the email-stealing pack
Surprisingly, Google didn't consider this a serious flaw, awarding Brutecat $5,000 under its bug bounty scheme.
"Google was pretty receptive and promptly patched the bug," the researcher said. "By depreciating the whole form compared to my other disclosures, this was done much more quickly. That being said, the bounty is pretty low when taking into account the impact of this bug."
"This issue has been fixed," a Google spokesperson told us. "We've always stressed the importance of working with the security research community through our vulnerability rewards program and we want to thank the researcher for flagging this issue. Researcher submissions like this are one of the many ways we're able to quickly find and fix issues for the safety of our users." ®
Get our [13]Tech Resources
[1] https://brutecat.com/articles/leaking-google-phones
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aEhWll6-MsYpXT5Ifr3GIgAAAZQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aEhWll6-MsYpXT5Ifr3GIgAAAZQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aEhWll6-MsYpXT5Ifr3GIgAAAZQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aEhWll6-MsYpXT5Ifr3GIgAAAZQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://github.com/ddd/gpb/blob/main/src/workers/workers.rs#L63
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aEhWll6-MsYpXT5Ifr3GIgAAAZQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.youtube.com/watch?v=aM3ipLyz4sw
[9] https://www.theregister.com/2025/06/05/ibm_cloud_outage_critical_vulnerability/
[10] https://www.theregister.com/2025/06/03/north_face_credential_stuffing/
[11] https://www.theregister.com/2025/05/29/billions_of_cookies_available/
[12] https://www.theregister.com/2025/05/27/new_russian_cyberspy_crew_laundry_bear/
[13] https://whitepapers.theregister.com/
Anonymous Coward
It was quite funny, 'cos at part 1 of the hack, I thought: "I could do that." At Part 2, "I could do that." Then part 3: "Quickly go off and develop a brute force cracking tool"
Oh shit, not really!
To think people used to voluntarily display their phone number in huge dead tree books distributed to everybody in the country...