- A security researcher has found a way to get around Google’s anti-BOT mechanism
- This allowed them to automate guess the number
- Google corrected the defect and thanked the researcher
Google has corrected a defect that may have exposed the phone number associated with any Google account, putting people at different risk of confidentiality and security.
A safety researcher with the alias “ Brutecat ” discovered a way to bypass anti-BOT protection that prevented people from spaming the requests for password reset on Google accounts.
This allowed them to browse each possible combination until they can get the correct phone number. Later, they were able to automate the process, which led to the supposition of the telephone number in about 20 minutes (depending on the number of figures in the number).
Risks of figures exposed
There are several confidentiality and security challenges that arise from an exposed phone number. On the one hand, people who count on anonymity (such as journalists, political opposition, dissidents and similar) could be more vulnerable to targeted attacks. In addition, exposing the telephone number of a person opens them to SIM exchange attacks, as well as the phishing and social engineering. Finally, if an attacker successfully diverts a phone number, he could reset passwords and obtain unauthorized access to linked accounts.
Fortunately, the problem has been resolved and so far there has been no report on the violation of the flaw in the wild.
Techcrunch was one of the publications confirming the authenticity of the defect, after having created a dummy account with a brand new phone number, and having “cracked” it shortly after.
“This problem has been resolved. We have always stressed the importance of working with the security community thanks to our vulnerability reward program and we would like to thank the researcher for reporting this number,” Google spokesman Kimberly Samra told Techcrunch.
“Submissions by researchers like this are one of the many ways to quickly find and solve problems for the safety of our users.”
Samra said that the company had seen “no direct connection confirmed to exploits at the moment”.
