Ammon News - A security researcher has discovered a bug that could be exploited to reveal the private recovery phone number of almost any Google account without alerting its owner, potentially exposing users to privacy and security risks.

Google confirmed to TechCrunch that it fixed the bug after the researcher alerted the company in April.

The independent researcher, who goes by the handle brutecat and blogged their findings, told TechCrunch that they could obtain the recovery phone number of a Google account by exploiting a bug in the company’s account recovery feature.

The exploit relied on an “attack chain” of several individual processes working in tandem, including leaking the full display name of a targeted account, and bypassing an anti-bot protection mechanism that Google implemented to prevent the malicious spamming of password reset requests. Bypassing the rate limit ultimately allowed the researcher to cycle through every possible permutation of a Google account’s phone number in a short space of time and arrive at the correct digits.

By automating the attack chain with a script, the researcher said it was possible to brute-force a Google account owner’s recovery phone number in 20 minutes or less, depending on the length of the phone number. TechCrunch