A Researcher Figured Out How To Reveal Any Phone Number Linked To a Google Account

A cybersecurity researcher, brutecat, discovered a vulnerability in Google accounts that made it possible to find the phone number linked to any account. This information is usually private and sensitive. The issue has since been fixed, and it presented a risk where hackers with limited resources could have accessed people's personal information. Brutecat demonstrated the exploit by finding the correct phone number linked to a Gmail address provided for testing. The process involved brute forcing, where a hacker rapidly tries different combinations of digits or characters until finding the correct one. Brutecat said the brute forcing takes around one hour for a U.S. number, 8 minutes for a UK one, and less than a minute for other countries. To exploit the vulnerability, an attacker requires the target's Google display name, which can be obtained by transferring ownership of a document from Google's Looker Studio product to the target. The attacker then barrages Google with guesses of the phone number until getting a hit using custom code. The vulnerability posed a significant privacy risk, particularly for SIM swappers. The issue has been fixed, but it highlights the importance of protecting sensitive information.