- A security researcher found a way to bypass Google’s anti-bot mechanism
- This allowed them to automate guessing the number
- Google fixed the flaw and thanked the researcher
Google has fixed a flaw which was able to expose the phone number associated with any Google account, putting people at different privacy and security risks.
A security researcher with the alias ‘brutecat’ uncovered a way to bypass the anti-bot protection which prevented people from spamming password reset requests on Google accounts.
This allowed them to cycle through every possible combination until they were able to get the correct phone number. Later, they were able to automate the process, resulting in the phone number being guessed in roughly 20 minutes (depending on how many digits the number has).
Risks of exposed numbers
There are multiple privacy and security challenges that stem from an exposed phone number. For one, people who rely on anonymity (such as journalists, political opposition, dissidents, and similar) could be more vulnerable to targeted attacks. Also, exposing a person’s phone number opens them up to SIM-swap attacks, as well as phishing and social engineering. Finally, if an attacker successfully hijacks a phone number, they could reset passwords and gain unauthorized access to linked accounts.
Luckily enough, the issue has been fixed, and so far there have been no reports of the flaw being abused in the wild.
TechCrunch was one of the publications confirming the authenticity of the flaw, after setting up a dummy account with a brand new phone number, and having it “cracked” soon after.
“This issue has been fixed. We’ve always stressed the importance of working with the security research community through our vulnerability rewards program and we want to thank the researcher for flagging this issue,” Google spokesperson Kimberly Samra told TechCrunch.
“Researcher submissions like this are one of the many ways we’re able to quickly find and fix issues for the safety of our users.”
Samra said that the company has seen “no confirmed, direct links to exploits at this time.”
You might also like
https://cdn.mos.cms.futurecdn.net/RTYjZ9AtKwb7MSGNfH2oEb.jpg
Source link
