Cybersecurity expert BruteCat has reported a new security flaw that can brute-force the recovery of an account’s mobile phone number using only a user’s Google profile name and some mobile phone numbers.
BruteCat found a deprecated Java-free version of Google’s username recovery form that lacked modern safeguards. Using the user’s profile display name, such as “John Smith”, an attacker can query the mobile number associated with a Google account through two POST requests.
BruteCat leverages IPv6 address rotation technology to generate a large number of unique IP addresses, easily bypassing the simple rate limiting of forms. At the same time, he successfully bypassed CAPTCHA verification by replacing parameters and obtaining a valid BotGuard token.
Eventually, he developed a brute-force tool called “GPB” that can quickly hack a mobile phone number at a rate of 40,000 requests per second. For example, it only takes 20 minutes to hack a number in the United States, 4 minutes in the United Kingdom, and less than 15 seconds in the Netherlands.
The attack requires the target’s email address to be obtained. Although Google made the mailbox hidden last year, BruteCat says that you can get the target’s display name by creating a Looker Studio document and transferring ownership to the target’s Gmail address without interacting with it.
In addition, the Google account recovery process can display a portion of the recovery number, such as 2 digits, and can be further narrowed down in combination with password reset prompts for other services, such as PayPal. The presentation video is attached by IT House as follows:
BruteCat reported this issue through the Google Bug Bounty Program (VRP) on April 14, 2025. Google initially assessed the risk as low, but on May 22 upgraded it to “moderately severe” and paid the researcher a $5,000 reward.
Google confirmed on June 6 that the vulnerability endpoint was completely deprecated, and the attack path is no longer viable, but it is unknown whether it has been exploited.
发表回复