Google has stepped in to address a security flaw that could have made it possible to brute-force an account’s recovery phone number, potentially exposing them to privacy and security risks.
The issue, according to Singaporean security researcher “brutecat,” leverages an issue in the company’s account recovery feature.
That said, exploiting the vulnerability hinges on several moving parts, specifically targeting a now-deprecated JavaScript-disabled version of the Google username recovery form (“accounts.google[.]com/signin/usernamerecovery”) that lacked anti-abuse protections designed to prevent spammy requests.
The page in question is designed to help users check if a recovery email or phone number is associated with a specific display name (e.g., “John Smith”).
But circumventing the CAPTCHA-based rate limit ultimately made it possible to try out all permutations of a Google account’s phone number in a short space of time and arrive at the correct digits in seconds or minutes, depending on the length of the phone number (which varies from country to country).
An attacker could also take advantage of Google’s Forgot Password flow to figure out the country code associated with a victim’s phone number, as well as obtain their display name by creating a Looker Studio document and transferring ownership to the victim, effectively causing their full name to be leaked on the home page.
In all, the exploit requires performing the following steps –
- Leak the Google account display name via Looker Studio
- Run the forgot password flow for a target email address to get the masked phone number with the last 2 digits displayed to the attacker (e.g., •• ••••••03)
- Brute-force the phone number against the username recovery endpoint to brute-force the phone number
Brutecat said a Singapore-based number could be leaked using the aforementioned technique in a span of 5 seconds, while a U.S. number could be unmasked in about 20 minutes.
Armed with the knowledge of a phone number associated with a Google account, a bad actor could take control of it through a SIM-swapping attack and ultimately reset the password of any account associated with that phone number.
Following responsible disclosure on April 14, 2025, Google awarded the researcher a $5,000 bug bounty and plugged the vulnerability by completely getting rid of the non-JavaScript username recovery form as of June 6, 2025.
The findings come months after the same researcher detailed another $10,000 exploit that an attacker could have weaponized to expose the email address of any YouTube channel owner by chaining a flaw in the YouTube API and an outdated web API associated with Pixel Recorder.
Then in March, brutecat also revealed that it’s possible to glean email addresses belonging to creators who are part of the YouTube Partner Program (YPP) by leveraging an access control issue in the “/get_creator_channels” endpoint, earning them a reward of $20,000.
“[An] access control issue in /get_creator_channels leaks channel contentOwnerAssociation, which leads to channel email address disclosure via Content ID API,” Google said.
“An attacker with access to a Google account that had a channel that joined the YouTube Partner Program (over 3 million channels) can obtain the email address as well as monetization details of any other channel in the YouTube Partner Program. The attacker can use this to de-anonymize a YouTuber (as there is an expectation of pseudo-anonymity in YouTube), or phish them.”
