Particle.news
Download on the App Store
6 ARTICLES
·
last wk.

Google Patches Account Recovery Flaw That Exposed Users’ Phone Numbers

Removing the legacy no-JavaScript endpoint shuts down the brute-force attack chain that could have enabled SIM swap takeovers, safeguarding users’ accounts against unauthorized access.

Image
Hackers can steal private recovery phone numbers to access users' bank accounts.

Overview

  • The flaw, discovered in April by researcher brutecat, exploited a legacy account recovery form to brute-force a user’s linked phone number, creating a potential route for SIM swapping.
  • Google initially rated the vulnerability as low risk but upgraded its severity to medium and applied interim mitigations on May 22.
  • On June 6, Google fully deprecated the vulnerable no-JavaScript recovery endpoint, rendering the exploit unusable.
  • The brute-force attack chain bypassed rate limits and bot protections by rotating IPv6 addresses and reusing BotGuard tokens to cycle through number permutations.
  • Google awarded a $5,000 bug bounty to brutecat for reporting the issue and said it has found no signs of malicious exploitation.