Vulnerability in Google Platform Exposed User Phone Numbers to Unauthorized Detection

Google has addressed vulnerabilities that exposed the phone numbers associated with nearly any Google account. This issue was identified within the account recovery process, which allows users to regain access using their phone numbers.

A cybersecurity researcher discovered that the account recovery page lacked the necessary BotGuard protection. BotGuard is a cloud-based solution that defends websites and applications against malicious bots and automated attacks. However, it operates under the condition that JavaScript is enabled, as it relies on executing JavaScript to collect essential client-side data. In cases where JavaScript is not used or is disabled, BotGuard’s effectiveness is compromised.

To bypass security measures, the researcher used rotating IP addresses along with techniques to mitigate CAPTCHA challenges, achieving a rate of 40,000 requests per second. With this capability, if an attacker knew the country code of a phone number, they could potentially discover the recovery number in approximately 20 minutes in the US and about four minutes in the UK due to the shorter format of phone numbers.

A crucial aspect of this process was the fact that Google provides a hint consisting of the last two digits of the phone number. The researcher utilized Google’s ‘libphonenumber’ library to create valid phone number formats.

Additionally, the complete display name of the targeted account was required. The researcher identified a method to extract this information by manipulating a feature within Looker Studio (formerly Google Data Studio). By creating a report and assigning ownership to the victim’s account through their email, the victim’s full name appeared in the “Recent documents” list on Looker Studio’s homepage, regardless of any interaction or awareness from the victim. This behavior was linked to Looker Studio’s interface, which still displayed names automatically during document ownership transfers, unlike other Google services that require user interaction.

In response to this incident, a Google spokesperson stated, “This issue has been fixed. We’ve always emphasized the importance of collaboration with the security research community through our vulnerability rewards program, and we appreciate the researcher for highlighting this issue. Contributions like this enable us to swiftly identify and resolve vulnerabilities to enhance user safety.”

Google further indicated that there have been no confirmed reports of these vulnerabilities being exploited. Nonetheless, the existence of a flaw that allows phone numbers to be traced back to Google accounts poses significant risks, particularly for phishing and SIM-swapping attacks, especially considering that many users utilize their primary phone numbers for account recovery purposes.