A Major Privacy Flaw Exposed in Google Accounts
A cybersecurity researcher recently uncovered a serious flaw in Google’s account security that made it possible to discover any user’s phone number linked to their Google account. The vulnerability was tested and verified by 404 Media and Wired, shedding light on how even novice hackers could have exploited it with limited resources.
Although Google has since patched the vulnerability, its implications for privacy and digital identity were far-reaching.
How the Exploit Worked
The researcher, known online as Brutecat, demonstrated how the flaw allowed attackers to brute-force phone numbers associated with Google accounts. Using a cleverly engineered process, attackers only needed the Google username—which Brutecat showed could be extracted without alerting the user.
The trick involved sharing ownership of a Google Looker Studio document with the target. By embedding 1 million characters in the document title, Brutecat ensured that the transfer happened silently, without any notifications to the victim.
Once the username was obtained, a custom script would bombard Google’s systems with different phone number combinations until a match was found—all without the victim being notified.
Speed and Efficiency of the Attack
One of the most alarming aspects of the flaw was how quickly the brute-force attack could be carried out:
- U.S. phone number: ~1 hour
- U.K. phone number: ~8 minutes
- Other countries: under 1 minute in some cases
In a test for journalists at Wired, Brutecat was able to retrieve a full, correct phone number tied to a Gmail address in just six hours.
“This exploit is basically a gold mine for SIM-swapping scammers,” Brutecat warned. Once an attacker identifies the number, they could proceed to impersonate the victim and request a SIM card replacement, which could give them full access to two-factor authentication and recovery options.
Google’s Response and Researcher Reward
Initially, Google categorized the vulnerability as low severity, but later reclassified it as medium risk upon deeper investigation. The company awarded Brutecat a $5,000 bounty, along with additional compensation for related findings.
The good news? The vulnerability has now been fixed. But the fact that it existed—and could be exploited so efficiently—raises significant concerns about the robustness of account security for billions of users.
What This Means for Users
This incident underscores the importance of protecting your digital identity. Even best practices, such as not linking public phone numbers to personal accounts, may not be enough when brute-force techniques are used.
Law enforcement agencies like the FBI have long recommended avoiding widely known phone numbers for account setups. But in a world of increasingly clever attack vectors, users must stay alert and employ additional layers of security, such as hardware-based keys or authenticator apps.
Conclusion
The Google account exploit discovered by Brutecat serves as a stark reminder that no system is immune to vulnerabilities—even those run by tech giants. While the issue has been resolved, it illustrates how attackers continuously innovate to bypass digital defenses. Ongoing vigilance, responsible disclosure, and robust user habits remain our strongest lines of defense in an ever-evolving threat landscape.
