Skip to content
  • Blog Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form

Researcher Found Flaw to Discover Phone Numbers Linked to Any Google Account

Posted on June 10, 2025June 10, 2025 By CWS

Jun 10, 2025Ravie LakshmananVulnerability / API Safety
Google has stepped in to handle a safety flaw that might have made it attainable to brute-force an account’s restoration telephone quantity, probably exposing them to privateness and safety dangers.
The difficulty, in accordance with Singaporean safety researcher “brutecat,” leverages a difficulty within the firm’s account restoration characteristic.
That stated, exploiting the vulnerability hinges on a number of transferring elements, particularly focusing on a now-deprecated JavaScript-disabled model of the Google username restoration kind (“accounts.google[.]com/signin/usernamerecovery”) that lacked anti-abuse protections designed to forestall spammy requests.
The web page in query is designed to assist customers test if a restoration e-mail or telephone quantity is related to a particular show title (e.g., “John Smith”).

However circumventing the CAPTCHA-based charge restrict finally made it attainable to check out all permutations of a Google account’s telephone quantity in a brief area of time and arrive on the appropriate digits in seconds or minutes, relying on the size of the telephone quantity (which varies from nation to nation).
An attacker might additionally reap the benefits of Google’s Forgot Password move to determine the nation code related to a sufferer’s telephone quantity, in addition to get hold of their show title by making a Looker Studio doc and transferring possession to the sufferer, successfully inflicting their full title to be leaked on the house web page.
In all, the exploit requires performing the next steps –

Leak the Google account show title by way of Looker Studio
Run the forgot password move for a goal e-mail deal with to get the masked telephone quantity with the final 2 digits exhibited to the attacker (e.g., •• ••••••03)
Brute-force the telephone quantity towards the username restoration endpoint to brute-force the telephone quantity

Brutecat stated a Singapore-based quantity might be leaked utilizing the aforementioned method in a span of 5 seconds, whereas a U.S. quantity might be unmasked in about 20 minutes.

Armed with the data of a telephone quantity related to a Google account, a foul actor might take management of it via a SIM-swapping assault and finally reset the password of any account related to that telephone quantity.
Following accountable disclosure on April 14, 2025, Google awarded the researcher a $5,000 bug bounty and plugged the vulnerability by utterly eliminating the non-JavaScript username restoration kind as of June 6, 2025.
The findings come months after the identical researcher detailed one other $10,000 exploit that an attacker might have weaponized to reveal the e-mail deal with of any YouTube channel proprietor by chaining a flaw within the YouTube API and an outdated net API related to Pixel Recorder.

Then in March, brutecat additionally revealed that it is attainable to glean e-mail addresses belonging to creators who’re a part of the YouTube Associate Program (YPP) by leveraging an entry management difficulty within the “/get_creator_channels” endpoint, incomes them a reward of $20,000.
“[An] entry management difficulty in /get_creator_channels leaks channel contentOwnerAssociation, which ends up in channel e-mail deal with disclosure by way of Content material ID API,” Google stated.
“An attacker with entry to a Google account that had a channel that joined the YouTube Associate Program (over 3 million channels) can get hold of the e-mail deal with in addition to monetization particulars of another channel within the YouTube Associate Program. The attacker can use this to de-anonymize a YouTuber (as there’s an expectation of pseudo-anonymity in YouTube), or phish them.”

Discovered this text fascinating? Observe us on Twitter  and LinkedIn to learn extra unique content material we put up.

The Hacker News Tags:Account, Discover, Flaw, Google, Linked, Numbers, Phone, Researcher

Post navigation

Previous Post: Exploited Vulnerability Impacts Over 80,000 Roundcube Servers
Next Post: Sensitive Information Stolen in Sensata Ransomware Attack

Related Posts

Newly Emerged GLOBAL GROUP RaaS Expands Operations with AI-Driven Negotiation Tools The Hacker News
Citrix Bleed 2 Flaw Enables Token Theft; SAP GUI Flaws Risk Sensitive Data Exposure The Hacker News
Critical Flaws in Niagara Framework Threaten Smart Buildings and Industrial Systems Worldwide The Hacker News
Are Forgotten AD Service Accounts Leaving You at Risk? The Hacker News
TAG-140 Deploys DRAT V2 RAT, Targeting Indian Government, Defense, and Rail Sectors The Hacker News
ASUS Patches DriverHub RCE Flaws Exploitable via HTTP and Crafted .ini Files The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Noma Security Raises $100 Million for AI Security Platform
  • 5 Best IT Infrastructure Modernisation Services In 2025
  • 17K+ SharePoint Servers Exposed to Internet
  • Chinese Researchers Suggest Lasers and Sabotage to Counter Musk’s Starlink Satellites
  • Reach Security Raises $10 Million for Exposure Management Solution

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Noma Security Raises $100 Million for AI Security Platform
  • 5 Best IT Infrastructure Modernisation Services In 2025
  • 17K+ SharePoint Servers Exposed to Internet
  • Chinese Researchers Suggest Lasers and Sabotage to Counter Musk’s Starlink Satellites
  • Reach Security Raises $10 Million for Exposure Management Solution

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News