Recommended reading

Google has fixed an issue that could have revealed your phone number to anyone - here's what you need to know

News
By published

Experts uncover a way to guess the number by trying as many times as needed

A hand holding a smartphone showing the phone number dialling screen
(Image credit: Shutterstock / DenPhotos)
  • A security researcher found a way to bypass Google's anti-bot mechanism
  • This allowed them to automate guessing the number
  • Google fixed the flaw and thanked the researcher

Google has fixed a flaw which was able to expose the phone number associated with any Google account, putting people at different privacy and security risks.

A security researcher with the alias ‘brutecat’ uncovered a way to bypass the anti-bot protection which prevented people from spamming password reset requests on Google accounts.

This allowed them to cycle through every possible combination until they were able to get the correct phone number. Later, they were able to automate the process, resulting in the phone number being guessed in roughly 20 minutes (depending on how many digits the number has).

Risks of exposed numbers

There are multiple privacy and security challenges that stem from an exposed phone number. For one, people who rely on anonymity (such as journalists, political opposition, dissidents, and similar) could be more vulnerable to targeted attacks. Also, exposing a person’s phone number opens them up to SIM-swap attacks, as well as phishing and social engineering. Finally, if an attacker successfully hijacks a phone number, they could reset passwords and gain unauthorized access to linked accounts.

Luckily enough, the issue has been fixed, and so far there have been no reports of the flaw being abused in the wild.

TechCrunch was one of the publications confirming the authenticity of the flaw, after setting up a dummy account with a brand new phone number, and having it “cracked” soon after.

“This issue has been fixed. We’ve always stressed the importance of working with the security research community through our vulnerability rewards program and we want to thank the researcher for flagging this issue,” Google spokesperson Kimberly Samra told TechCrunch.

“Researcher submissions like this are one of the many ways we’re able to quickly find and fix issues for the safety of our users.”

Samra said that the company has seen “no confirmed, direct links to exploits at this time.”

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.