A vulnerability allowed researchers to incite the recovery phone number of any Google account to know their profile name and easily received partial phone number, which posed a big risk for fishing and SIM-swapping attacks.
The method of attack involves misusing the now-deprived JavaScript-competent version of the Google user name recovery form, which lacked the anti-modern-day security security.
The defect was discovered Safety researcator brutecatIt is possible to highlight the private email address of YouTube accounts in February.
Brutecat told Bleepingcomputer that when the attack rebuilt the phone number users configured for Google Account Recovery, it is similar to the primary phone number of the account holder in most cases.
Brute-Forcing Google Number
Brutecat found that he could use an inheritance no-javascript user name recovery form, which was expected working.
If the phone number two post requests was connected with the Google account based on the user’s profile display name (“John Smith”), the form allowed Query.
The researcher ignored these requests /64 subnets by using the rotation of the IPV6 address to generate the trillions of the unique source of IPS through subnets.
The captures displayed by several requests were bypassed by replacing the parameters ‘Bgresponse = JS_DISABLED’ with a valid bootguard token from JS-competent form.
Source: Brutecat
With technology sets, Brutecat developed a brute-oorcing tool (GPB), which recurrence through the number range using country-specific forms and filters false positivity.
The researcher used Google’s ‘Libphonenumber’ to generate valid number forms, built a country mask database to identify phone formats by the region, and wrote a script to generate board tokens through the headless chrome.
At a brutal-founding rate of 40,000 requests per second, US number will take about 20 minutes, UK 4 minutes and Netherlands less than 15 seconds.
.jpg)
Source: Brutecat
To start an attack against someone, their email address is required for form, but Google has hidden it since last year.
Brutecat found that he could retrieve it by creating a look studio document and transferring ownership to the target’s Gmail address.
Once the ownership is transferred, the target’s Google performance name appears on the dashboard’s lukear studio dashboard, which requires zero interaction with the target.
Armed with this email address, they can repeatedly question all the phone numbers associated with the profile name.
Although, as thousands of accounts with the same profile name may be, the researcher limited it using a partial number of the target.
To get a partial phone number for the user, the researcher used Google’s “Account Recovery” workflow, which would display two digits of a configured recovery phone number.
“This time can also be significantly reduced through the phone number signal from the password reset flow in other services like Payal, which gives many more digits (EX.
Leaking the phone numbers attached to the Google account can lead to a large -scale security risk for users, which can later be targeted in targeted wishing attacks or SIM swap attacks.
The performance of exploiting this defect can be seen in the video below.
https://www.youtube.com/watch?v=AM3IPLYZ4SW
Bug fixed
On April 14, 2025, Brutecat reported his conclusions to Google through Tech Giant Valnarability Reward Program (VRP).
Google initially considered the absorbent risk to be low, but on May 22, 2025, it upgraded the issue to “moderate severity”, implemented interim mitigations and gave a reward of $ 5,000 to the researcher for disclosure.
On June 6, 2025, Google confirmed that it completely removed the weak NO-JS Recovery & Point.
The attack vector is no longer an exploitative, but it is unknown whether it was ever maliciously exploited.
Patching meant complex scripts, long and endless fire drills. No more.
In this new guide, the tines break down how it is leveling with modern organ automation. Patch fast, reduce overhead, and focus on strategic tasks – no complex script is required.
