A critical security vulnerability in Google’s infrastructure has been discovered that could have exposed the phone numbers of millions of users to malicious actors. The flaw, identified by cybersecurity researcher BruteCat, created significant opportunities for phishing campaigns and SIM swapping attacks, highlighting the ongoing challenges in securing large-scale digital platforms.
Understanding the Technical Vulnerability
The security flaw originated from an outdated Google form located at accounts.google.com/signin/usernamerecovery. This legacy system operated without JavaScript support and lacked modern automated attack prevention mechanisms. Originally designed to help users verify backup email addresses or phone numbers associated with specific account display names, the form became a gateway for unauthorized data extraction.
The researcher successfully bypassed the primitive rate limiting protections by implementing IPv6 address rotation to generate trillions of unique IP addresses through /64 subnets. To circumvent CAPTCHA verification, BruteCat utilized valid BotGuard tokens in the bgresponse=js_disabled parameter, extracted from JavaScript-enabled forms.
Sophisticated Brute Force Attack Methodology
The attack methodology demonstrated remarkable technical sophistication, incorporating multiple components for maximum effectiveness. BruteCat developed a comprehensive automated tool that leveraged Google’s own libphonenumber library to generate correct phone number formats, created extensive databases of telephone number masks for various countries, and implemented scripts for generating BotGuard tokens through headless Chrome browsers.
This sophisticated approach achieved an impressive attack speed of approximately 40,000 requests per second, making large-scale enumeration feasible. The efficiency varied significantly by geographic region, with attacks taking approximately 20 minutes in the United States, 4 minutes in the United Kingdom, less than 15 seconds in the Netherlands, and under 5 seconds in Singapore.
Bypassing Display Name Protection Mechanisms
Conducting targeted attacks against specific users required knowledge of their display names, information that Google had significantly restricted access to during 2023-2024. However, the researcher discovered an ingenious workaround through Google’s Looker Studio service.
By creating documents in Looker Studio and assigning target victims as owners using their Gmail addresses, attackers could access display names without any victim interaction. To narrow down searches among thousands of accounts with identical names, the technique exploited partial phone numbers from Google’s account recovery function, which reveals the last two digits of associated phone numbers.
Timeline of Discovery and Remediation
The vulnerability was responsibly disclosed through Google’s bug bounty program in April 2024. Initially, Google assessed the risk level as low, but by May 22, 2024, the severity was elevated to “medium” with temporary protective measures implemented. BruteCat received a $5,000 reward for the discovery.
Complete remediation occurred on June 6, 2024, when Google permanently disabled access to the JavaScript-disabled form. However, it remains unknown whether malicious actors exploited this vulnerability before its closure, raising concerns about potential unreported incidents.
Implications for SIM Swapping and Social Engineering
The discovered vulnerability created significant risks for advanced social engineering attacks, particularly SIM swapping schemes where criminals hijack victims’ phone numbers to bypass two-factor authentication. Access to accurate phone numbers associated with specific Google accounts would have provided attackers with crucial information for convincing telecommunications providers to transfer phone numbers.
This type of attack vector demonstrates how seemingly minor information leaks can cascade into major security breaches, especially when combined with other publicly available data sources and social engineering techniques.
This incident underscores the critical importance of conducting regular security audits on legacy system components and implementing modern protection mechanisms across all infrastructure elements. Organizations must prioritize the identification and remediation of outdated endpoints that may lack contemporary security controls. Users should enable two-factor authentication using hardware keys rather than SMS-based verification, regularly review account security settings, and remain vigilant against phishing attempts that may leverage exposed personal information. The discovery serves as a reminder that even technology giants must continuously evolve their security practices to address emerging threats and protect user privacy in an increasingly connected digital landscape.
