- A security scientist found a way to bypass Google’s anti-bot mechanism
- This enabled them to automate the guess number
- Google fixed the error and thanked the researcher
Google has corrected an error that was able to postpone the phone number linked to any Google account, putting people at different privacy and security risks.
A security scientist with alias ‘Brirtecat’ revealed a way of bypassing the anti-bot protection that prevented people from resetting password reset requests on Google Accounts.
This allowed them to cycle through any possible combination until they were able to get the right phone number. Later, they were able to automate the process, which resulted in the phone number being guessed in about 20 minutes (depending on how many digits the number has).
Risks for exposed numbers
There are several privacy and security challenges that come from an exposed phone number. First, people who depend on anonymity (such as journalists, political opposition, dissidents and the like) could be more vulnerable to targeted attacks. Exposing a person’s phone number also opens them for SIM-SWAP attacks as well as phishing and social engineering. Finally, if an attacker successfully hijack a phone number, they could reset passwords and get unauthorized access to associated accounts.
Fortunately, the question has been corrected and so far there have been no reports that the error is being abused in nature.
Techcrunch Was one of the publications that confirmed the authenticity of the error after creating a dummy account with a brand new phone number and having it “cracked” shortly after.
“This question is resolved. We have always emphasized the importance of working with the security research community through our vulnerability rewarding program, and we would like to thank the researcher for marking this question,” Google spokesman Kimberly Samra told TechCrunch.
“Researcher posts like this are one of the many ways we can quickly find and solve problems for the safety of our user.”
Samra said the company has seen “No one confirmed direct links to exploitation at this time.”
