A recently patched security flaw in Google’s account recovery system allowed attackers to brute-force the full recovery phone number linked to any Google account using just a person’s display name and a partial phone number.
This created a serious risk for phishing and SIM-swap attacks.
The vulnerability was discovered by security researcher BruteCat, who previously exposed how private email addresses of YouTube users could be revealed. This time, BruteCat found that an old, JavaScript-disabled version of Google’s username recovery form lacked proper security protections, including rate limits and CAPTCHA enforcement.
By rotating IP addresses using IPv6 and generating valid phone numbers with Google’s tools, the researcher was able to send up to 40,000 requests per second to guess phone numbers. He also bypassed CAPTCHA protections by injecting a valid BotGuard token, allowing the process to run smoothly.
To identify the right phone number for a specific target, BruteCat used Google’s recovery hints (which show two digits of a linked number) and extra clues from services like PayPal, which often reveal more digits during password recovery. This made it easier to narrow down the exact number tied to a specific account.
BruteCat reported the issue to Google on April 14, 2025, through its Vulnerability Reward Program (VRP). Although Google initially rated the issue as low risk, it was later upgraded to medium severity, and the vulnerable form was fully disabled on June 6, 2025. BruteCat received a $5,000 bug bounty for his responsible disclosure.
The vulnerability has now been fixed, and the exploit is no longer possible. However, it’s unclear if the flaw was ever used in real-world attacks before being patched.
