A critical vulnerability in Google’s account recovery system has allowed attackers to brute-force and obtain any Google user’s phone number. This significant security flaw, discovered by security researcher BruteCat, created a massive risk for both phishing and SIM-swapping attacks. The attack method involved abusing a now-deprecated JavaScript-disabled version of the Google username recovery form, which lacked modern protections. To exploit this, an attacker only needed to know their target’s profile name and an easily retrieved partial phone number. BruteCat stated this recovery phone number is the same as the primary number for most people, increasing the overall potential risk.
The complete attack chain required three key components to successfully extract the full phone numbers of any targeted Google user. First, attackers needed to obtain the target’s Google account display name, which could be leaked through Google’s Looker Studio product. Second, the standard “forgot password” flow provided a masked phone number hint showing the last few digits of the configured number. With this crucial information, attackers could then systematically brute-force the remaining digits using a custom-built tool called “gpb”. The researcher successfully bypassed Google’s rate-limiting defenses by using IPv6 address rotation to generate trillions of unique source IP addresses for requests.
The custom brute-forcing tool, named “gpb,” worked by iterating through all possible number ranges using country-specific telephone number formats.
The researcher used Google’s own ‘libphonenumber’ library to generate all the valid number formats required for different targeted geographic regions. Using very affordable consumer-grade hardware costing just $0.30 per hour, the researcher achieved approximately 40,000 verification attempts per second. The time required to successfully brute-force numbers varied significantly by country, with United States numbers requiring approximately 20 minutes.
Additional hints from other online services like PayPal could have dramatically reduced this required attack time by providing more known digits.
The researcher, BruteCat, responsibly reported all his findings to Google via their Vulnerability Reward Program on April 14, 2025. Google initially considered the exploitation risk to be low but later upgraded the serious issue to “medium severity” on May 22nd. The company implemented immediate mitigations while working toward a complete endpoint deprecation and paid the researcher a $5,000 reward. On June 6, 2025, Google officially confirmed that the vulnerable No-JavaScript username recovery form had been completely deprecated by their teams. This particular attack vector is no longer exploitable, but it remains unknown if it was ever maliciously exploited by others.
Reference:
