Recovery numbers could be brute-forced in 20 minutes.
Google has issued a patch for a security issue impacting its account recovery feature that could be leveraged to covertly leak Google account-linked phone numbers.
According to TechCrunch, security researcher brutecat was able to create an exploit that facilitated the exposure of targeted accounts' full display names while circumventing Google's anti-bot defense mechanism hindering password reset request spamming.
Using a script to automate the intrusion could allow recovery number brute-forcing in a maximum time of 20 minutes, according to brutecat.
"We've always stressed the importance of working with the security research community through our vulnerability rewards program and we want to thank the researcher for flagging this issue,” said Google spokesperson Kimberly Samra. “Researcher submissions like this are one of the many ways we’re able to quickly find and fix issues for the safety of our users.”
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
