Google fixes bug that would reveal customers’ non-public cellphone numbers
A safety researcher has found a bug that could possibly be exploited to disclose the non-public restoration cellphone variety of virtually any Google account with out alerting its proprietor, doubtlessly exposing customers to privateness and safety dangers.
Google confirmed to TechCrunch that it mounted the bug after the researcher alerted the corporate in April.
The impartial researcher, who goes by the deal with brutecat and blogged their findings, informed TechCrunch that they may receive the restoration cellphone variety of a Google account by exploiting a bug within the firm’s account restoration characteristic.
The exploit relied on an “assault chain” of a number of particular person processes working in tandem, together with leaking the complete show identify of a focused account, and bypassing an anti-bot safety mechanism that Google carried out to stop the malicious spamming of password reset requests. Bypassing the speed restrict finally allowed the researcher to cycle by each doable permutation of a Google account’s cellphone quantity in a brief house of time and arrive on the appropriate digits.
By automating the assault chain with a script, the researcher mentioned it was doable to brute-force a Google account proprietor’s restoration cellphone quantity in 20 minutes or much less, relying on the size of the cellphone quantity.
To check this, TechCrunch arrange a brand new Google account with a cellphone quantity that had by no means been used earlier than, then supplied brutecat with the e-mail deal with of our new Google account.
A short while later, brutecat messaged again with the cellphone quantity that we had set.
“bingo :),” mentioned the researcher.
Revealing the non-public restoration cellphone quantity can expose even nameless Google accounts to focused assaults, comparable to takeover makes an attempt. Figuring out a personal cellphone quantity related to somebody’s Google account might make it simpler for expert hackers to take management of that cellphone quantity by a SIM swap assault, for instance. With management of that cellphone quantity, the attacker can reset the password of any account related to that cellphone quantity by producing password reset codes despatched to that cellphone.
Given the potential threat to the broader public, TechCrunch agreed to carry this story till the bug could possibly be mounted.
“This subject has been mounted. We’ve all the time pressured the significance of working with the safety analysis group by our vulnerability rewards program and we wish to thank the researcher for flagging this subject,” Google spokesperson Kimberly Samra informed TechCrunch. “Researcher submissions like this are one of many some ways we’re capable of shortly discover and repair points for the security of our customers.”
Samra mentioned that the corporate has seen “no confirmed, direct hyperlinks to exploits at the moment.”
Brutecat mentioned Google paid $5,000 in a bug bounty reward for his or her discovering.