Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
A security researcher has discovered a bug that almost a Google account’s personal recovery phone number is not warned to its owner, it can be used to express the users’ privacy and security risks possible.
Google confirmed to TechCrunch that the researcher fixed the bug after warning the company in April.
The distinct researcher, who goes by Brotekat to handle and go by Their searches have blogsTechcunch told them that they could get a Google account recovery phone number by absorbing a bug in the company’s account recovery feature.
The absorption depends on a “attack chain” of several distinct processes, including bypassing an anti-bot protection process to prevent contaminated spamming of the target account of the target account and password reset requests. Bypassing the rate of rate, the researcher allows the researcher in a short period of time to allow each possible order of a Google account phone number and reach the correct numbers.
Automatic the attack chain with the script said that depending on the length of the phone number, the owner of the Google account owner’s recovery phone number was possible to brut-forced in 20 minutes or less.
To test it, TechCrunch has set up a new Google account with a phone number that has never been used before, then provides Brutekat by providing our new Google account email address.
After a short time, Brutekat gives us a message back with the phone number we set.
“Bingo :),” said the researcher.
Publishing private recovery phone numbers can even be anonymous Google accounts such as techover attempts on target attacks. Identifying a private phone number related to someone’s Google Account can make it easier for skilled hackers to control that phone number SIMFor example. With the control of that phone number, the attacker can reset the password of any account related to the phone number that is sent to that phone number that is shipped on that phone.
Giving potential risk to the larger public, agreed to hold this story until the TechCrunch bug is fixed.
“This problem has been fixed. We have always emphasized the importance of working with the Protection Research Community through our weakness awards program and we would like to thank the researcher for flagging this problem,” Google spokesperson Kimberley Emperor Techchen. “Submissions like this are one of the many ways to find and fix quick problems to protect our users.”
Samra said that the company did not see the direct links to exploit at the moment. “
Brutekat says Google has provided $ 5,000 to a bug bounty award for their search.