A security researcher has discovered a vulnerability in Google’s account recovery system, allowing attackers to bruteforce phone numbers with minimal effort. The flaw, reported on June 9, 2025, exploits a weakness in the non-JavaScript account recovery form, enabling attackers to guess a target’s phone number based on limited information.
The researcher used a $0.30/hour server to achieve approximately 40,000 checks per second, with some countries’ phone numbers revealed in mere seconds once the display name was known. The attack requires two key pieces of information: the victim’s Google account display name and a hint about their phone number.
Google initially responded lukewarmly to the issue, awarding a total of $1,337 + swag. However, after appealing, the company acknowledged the vulnerability’s medium likelihood of exploitation and awarded a total of $5,000. The non-JavaScript username recovery form has since been fully deprecated, closing this avenue of attack.
The researcher exploited Google’s Looker Studio product to obtain display names without interaction from victims, providing an additional pathway for attackers. This flaw highlights the importance of addressing security vulnerabilities in major platforms and ensuring adequate protection for users’ sensitive information.
Source: https://boingboing.net/2025/06/09/google-bug-let-strangers-find-your-phone-number-with-just-your-gmail-address.html