A serious security vulnerability in Google’s account recovery system, discovered by the Singaporean security researcher “brutecat,” has been addressed by the tech giant after it was found to expose users to significant privacy and security risks. The flaw potentially allowed malicious actors to brute-force an account’s linked phone number, which could be exploited for targeted attacks like SIM-swapping.
The Vulnerability: A Flaw in Account Recovery
The issue resided in a deprecated version of the Google username recovery page, specifically the version that did not use JavaScript. This page, designed to help users recover their usernames, also enabled attackers to check if a recovery phone number or email was associated with a given Google account display name. While Google had some protective measures in place, they were insufficient to prevent abuse. The page lacked anti-abuse features like CAPTCHA to limit excessive or spammy requests.
Exploiting the flaw required bypassing CAPTCHA-based rate-limiting, allowing attackers to systematically try all permutations of a Google account’s phone number in a short amount of time. Depending on the length of the phone number, which varies by country, attackers could quickly determine the correct digits in just seconds or a few minutes. For example, a Singapore-based phone number could be brute-forced in approximately five seconds, while a U.S. phone number could take around 20 minutes.
How the Exploit Worked
In the attack chain, an attacker could:
- Leak the Google Account Display Name: First, an attacker could use Looker Studio to cause the victim’s full name to be exposed publicly.
- Run the Forgot Password Flow: The attacker could then use the Forgot Password flow on the target’s email address, revealing the last two digits of the associated phone number.
- Brute-force the Phone Number: Using the username recovery form, the attacker could attempt to guess the full phone number by testing all permutations.
Once the full phone number was identified, the attacker could use it in a SIM-swapping attack, gaining control over the target’s phone number. From there, they could request account password resets for any Google services or linked accounts, leading to a complete compromise.
Google’s Response and Fix
After the vulnerability was responsibly disclosed by “brutecat” on April 14, 2025, Google acted swiftly to address the issue. The company awarded the researcher a $5,000 bug bounty and worked to patch the flaw. Google completely removed the problematic username recovery form, which had been lacking proper protections, on June 6, 2025. This fix eliminated the vector for brute-forcing linked phone numbers and mitigated the associated risks.
Prior Vulnerabilities Discovered by brutecat
This is not the first time “brutecat” has uncovered a security flaw related to Google services. In fact, the researcher has previously discovered vulnerabilities that exposed sensitive information on platforms like YouTube.
In an earlier report, “brutecat” revealed an issue with the YouTube API that allowed attackers to expose the email addresses of YouTube channel owners by chaining a flaw in an outdated web API. This discovery earned the researcher a $10,000 bug bounty. Furthermore, in March 2025, the researcher uncovered another access control vulnerability in the YouTube Partner Program (YPP) API, which allowed email addresses of YPP members to be exposed, resulting in another $20,000 reward.
What SOC Teams Need to Know:
SOC teams should be aware that this vulnerability could have been leveraged for SIM-swapping attacks, allowing attackers to gain control of a victim’s phone number and compromise their Google accounts or linked services. Although Google has patched the flaw by removing the vulnerable username recovery form, SOC teams should monitor for potential exploitation attempts in their environments. The vulnerability highlights the importance of protecting recovery mechanisms, such as account recovery phone numbers, and ensuring that deprecated forms or features do not remain active without proper security protections. Teams should also ensure that two-factor authentication (2FA) is enabled across all critical accounts, and closely monitor for signs of SIM-swapping or account takeover attempts. Additionally, this issue serves as a reminder to stay ahead of evolving attack methods, continually testing and securing recovery paths and API access to sensitive user data.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact
