A serious vulnerability discovered in Google’s account recovery process allowed security researchers to brute-force any Google account’s recovery phone number, raising fears of increased phishing and SIM-swapping attacks. The flaw, identified by security researcher BruteCat, enabled attackers to exploit a deprecated JavaScript-disabled version of the username recovery form, lacking modern anti-abuse protections.
The method employed by BruteCat involved accessing a legacy no-JavaScript recovery form, utilizing a user’s profile display name alongside an easily retrievable partial phone number to conduct brute-force attacks. By circumventing the basic rate-limiting measures through IP address rotation, BruteCat was able to send trillions of requests to determine the recovery phone number associated with a given account.
Using Google’s ‘libphonenumber’ tool, the researcher developed a brute-forcing tool that could query up to 40,000 requests per second. As noted, U.S. numbers could be brute-forced in approximately 20 minutes, while other countries saw even faster results. This method highlights the vulnerabilities embedded in online security systems that still rely on outdated technology.
BruteCat first reported his findings to Google on April 14, 2025, initially deemed a low risk by the tech giant. However, the severity level was raised by May 22, and by June 6, Google announced it had deprecated the vulnerable endpoint. To date, it remains unclear if the flaw was exploited prior to the fix.