A recent vulnerability in Google’s account system allowed a cybersecurity researcher, identified as brutecat, to discover the phone number linked to any Google account. The issue was reported by Google and has since been fixed. However, during its existence, it posed a significant privacy risk, enabling hackers with limited resources to gain access to personal information.
Brutecat, an independent security researcher, revealed that they were able to determine the correct phone number linked to a test Gmail account in just six hours using brute forcing techniques. The process involves rapidly trying different combinations of digits or characters until finding the desired result.
The vulnerability was exploited by brutecat as part of their research and allowed them to recover the target’s phone number in under an hour for US numbers, 8 minutes for UK numbers, and less than a minute for other countries. Google has acknowledged the issue and thanked brutecat for reporting it, awarding them $5,000 and some swag.
Phone numbers are crucial information for SIM swappers, who use this data to impersonate victims and gain access to valuable accounts, including email and cryptocurrency storage. The discovery of this vulnerability highlights the importance of working with security research communities to identify and fix issues quickly.
Google has implemented measures to prevent similar vulnerabilities in the future, and users can take steps to protect their personal information by being cautious when sharing phone numbers on social media or through other public channels.
Source: https://www.wired.com/story/a-researcher-figured-out-how-to-reveal-any-phone-number-linked-to-a-google-account