Google has addressed a high-severity vulnerability that allowed attackers to brute-force recovery phone numbers tied to user accounts using only a profile name and partial phone number. The flaw, reported by researcher “brutecat” and patched on June 9, 2025, could have enabled SIM-swapping and account takeover attacks at scale1.
Technical Breakdown of the Vulnerability
The exploit chain leveraged Google’s No-JS username recovery form combined with BotGuard token reuse. Attackers could bypass rate limits using IPv6 rotation, achieving ~40,000 checks per second—enough to brute-force a US phone number in 20 minutes3. The attack required:
- A target’s public profile name
- The first three digits of their recovery phone number (derivable from carrier prefixes)
- Automated requests to Google’s account recovery endpoint
This vulnerability was particularly dangerous because phone numbers are often reused across multiple services. Once obtained, attackers could initiate SIM-swapping attacks or use the number for credential stuffing against other platforms2.
Security Implications for Organizations
The incident highlights systemic risks in phone-based authentication. Major platforms like PayPal and Venmo still rely on SMS for account recovery, despite known SIM-swapping risks5. Most U.S. banks (including Chase and Bank of America) lack support for more secure alternatives like TOTP or U2F6.
Carriers have implemented partial mitigations—Verizon’s “Number Lock” and T-Mobile’s “NOPORT” require in-person verification for SIM swaps. However, social engineering attacks continue to bypass these protections4.
Mitigation Strategies
For security teams:
“Audit account recovery flows for similar brute-force vulnerabilities. Implement IP-based rate limiting that accounts for IPv6 rotation, and consider deprecating SMS-based recovery where possible.”
Recommended actions include:
- Enforcing hardware security keys for privileged accounts
- Monitoring for unauthorized phone number changes in identity systems
- Implementing secondary verification for account recovery attempts
Conclusion
This vulnerability underscores the fragility of phone-based authentication systems. While Google has patched the specific flaw, the broader ecosystem remains vulnerable due to widespread SMS 2FA adoption. Organizations should prioritize FIDO2/WebAuthn implementations and pressure carriers to strengthen SIM-swap protections.
References
- “Google patched bug leaking phone numbers tied to accounts,” BleepingComputer, 2025.
- “Google fixes bug that could reveal users’ private phone numbers,” TechCrunch, 2025.
- “Technical Deep Dive: Leaking Google Account Phone Numbers,” brutecat, 2025.
- Twitter thread on carrier SIM-swap protections, 2020.
- HN Thread on PayPal/Venmo SMS reliance, 2025.
- TwoFactorAuth.org banking 2FA survey, 2025.
