A cybersecurity researcher, operating under the pseudonym brutecat, discovered a severe flaw in Google’s systems that allowed anyone to uncover phone numbers linked to Google accounts through a sophisticated brute-force attack. The vulnerability posed a significant threat, as exposed phone numbers could enable SIM-swapping attacks, where hackers hijack a victim’s phone number to intercept calls, texts, and two-factor authentication codes, potentially compromising sensitive accounts like email, banking, or cryptocurrency wallets.
The exploit involved rapidly testing number combinations to reveal the phone number associated with a given Gmail address. In a test conducted by 404 Media, brutecat successfully retrieved a phone number within six hours after being provided only an email address. “This was a goldmine for SIM swappers,” brutecat told 404 Media, noting that the method required minimal resources, making it accessible to even low-skill attackers. The researcher identified the vulnerability by exploiting a weakness in Google’s account recovery or login processes, though specific technical details were not disclosed to prevent further exploitation.
Google initially classified the issue as low risk but later upgraded it to medium likelihood of exploitation after further evaluation. The company swiftly patched the vulnerability, ensuring that phone numbers tied to Google accounts are no longer accessible through this method. Google praised the researcher’s contribution, awarding brutecat $5,000 and swag through its bug bounty program.
The incident highlights the growing risks of SIM-swapping and the importance of safeguarding personal information like phone numbers, which are often used as a security fallback. While Google’s fix has closed this particular loophole, the ease with which the flaw was exploited raises broader concerns about the security of personal data in widely used online services. Users are urged to enable two-factor authentication with secure methods, such as authenticator apps, to reduce reliance on phone numbers for account protection.
