Google Account Flaw: Phone Numbers at Risk from Brute Force Attack 🚨
A security flaw allowed hackers to brute force Google account phone numbers, like a digital Sherlock Holmes but less ethical. The researcher “brutecat” found a way to bypass Google’s defenses with a BotGuard token. Google awarded $5,000 for the finding—because who knew hacking could be so lucrative?
Hot Take:
**_Ah, Google, where brute force isn’t just for medieval siege tactics anymore! Who knew that disabling JavaScript could turn your browser into a time machine, taking you back to the days when phone numbers were just a few clicks away? Personally, I’d prefer my phone number not to be a public spectacle, but at least they threw in some swag for the lucky researcher who cracked the code!_**
Key Points:
– A vulnerability in Google’s deprecated username recovery form allowed brute force attacks to reveal phone numbers.
– The attack was possible by bypassing CAPTCHA and rate limits using BotGuard tokens.
– The researcher reported the flaw and received a $5,000 reward for the low-risk, high-impact discovery.
– Google has deprecated the no-JavaScript username recovery form to mitigate the issue.
– The attack’s success relied on obtaining the victim’s country code and display name.