- A security researcher found a way to avoid the mechanism against the Google button
- This allowed them to automate guessing the number
- Google solved the fault and thanked the researcher
Google has solved a failure that could expose the telephone number associated with any Google account, which puts people in different privacy and safety risks.
A security researcher with the alias ‘Brutecat’ discovered a way to avoid protection against the button that prevented people from sending spam to requests to restore password in Google accounts.
This allowed them to travel all possible combinations until they could obtain the right phone number. Later, they could automate the process, which turned out that the phone number is guessed in approximately 20 minutes (depending on how many digits the number has).
Risks of exposed numbers
There are multiple privacy and safety challenges that come from an exposed telephone number. On the one hand, people who trust anonymity (such as journalists, political opposition, dissidents and the like) could be more vulnerable to directed attacks. In addition, expose a person’s phone number opens them to SIM exchange attacks, as well as Phishing and Social Engineering. Finally, if an attacker successfully kidnaps a telephone number, could restore passwords and obtain unauthorized access to linked accounts.
Fortunately, the problem has been solved, and so far there have been reports that the defect is abused in nature.
Techcrunch It was one of the publications that confirmed the authenticity of the defect, after configuring a fictional account with a new phone number, and that “group” shortly after.
“This problem has been solved. We have always emphasized the importance of working with the security research community through our vulnerability rewards program and we want to thank the researcher for marking this problem,” said Google spokeswoman Kimberly Samra, Techcrunch.
“The presentations of researchers like this are one of the many ways in which we can find and quickly solve problems for the safety of our users.”
Samra said the company has not seen “without confirmed direct links for exploits at this time.”
