A cybersecurity researcher was able to figure out the phone number linked to any Google account, information that is usually not public and is often sensitive, according to the researcher, Google, and 404 Media’s own tests.
About six hours later, brutecat replied with the correct and full phone number linked to that account.
Typically that’s in the context of finding someone’s password, but here brutecat is doing something similar to determine a Google user’s phone number.
On its website, the FBI recommends people do not publicly advertise their phone number for this reason.
Don’t advertise your phone number, address, or financial assets, including ownership or investment of cryptocurrency, on social media sites,” the site reads.
Based on tests conducted by the researcher, Google, and 404 Media, a cybersecurity researcher was able to determine the phone number associated with any Google account—information that is typically private and sensitive.
Even hackers with relatively little resources could have brute-forced their way to people’s personal information, but this was a privacy concern at the time and has since been resolved.
The independent security researcher who discovered the vulnerability, known by the handle brutecat, wrote in an email, “I think this exploit is pretty bad since it’s basically a gold mine for SIM swappers.”. Hackers known as SIM swappers use a target’s phone number to intercept their calls and texts, which enables them to access a variety of accounts.
The vulnerability was tested in mid-April by giving brutecat one of our personal Gmail addresses. After roughly six hours, brutecat responded with the complete and accurate phone number associated with that account.
Regarding their method, brutecat stated, “It’s basically bruting the number.”. When a hacker uses brute forcing, they quickly try various character or digit combinations until they find the ones they want. Usually, that’s used to find someone’s password, but in this case, brutecat is trying to find a Google user’s phone number.
According to an email from Brutecat, it takes about an hour to perform a U. S. number, or eight minutes in the UK. They claimed that in other nations, it can take less than a minute.
Brutecat explains that an attacker requires the target’s Google display name in an accompanying video that illustrates the exploit. To do this, they first give the target ownership of a document created with Google’s Looker Studio program, according to the video. They claim that they changed the document’s name to contain millions of characters, which prevented the target from being informed of the change in ownership. Brutecat then bombards Google with phone number guesses until they get a hit using some custom code that they described in their article.
A caption in the video says, “The victim isn’t notified at all :).”.
A Google representative said in a statement to 404 Media, “This problem has been resolved. Through our vulnerability rewards program, we’ve always emphasized the value of collaborating with the security research community, and we appreciate the researcher bringing this to our attention. This type of researcher submission is just one of the many ways we can swiftly identify and address problems for our users’ safety. “.”.
One of the most important pieces of information for SIM swappers is phone numbers. Numerous hacks involving individuals have been connected to these hackers in an attempt to steal cryptocurrency or online usernames. However, sophisticated SIM swappers are now aiming for large corporations. Some have had direct involvement with Eastern European ransomware gangs.
Once the SIM swapper has the victim’s phone number, they can pretend to be the victim and persuade their telecom provider to reroute text messages to a SIM card under their control. The hacker can then access the victim’s valuable accounts by requesting multi-factor authentication codes or password reset text messages. Among these could be cryptocurrency storage accounts or, even more dangerously, their email address, which could provide access to numerous other accounts.
For this reason, the FBI advises on its website that people should not post their phone number in public. “Keep your financial and personal information safe. The website states, “Avoid posting your address, phone number, or financial assets—including cryptocurrency ownership or investments—on social media platforms.”.
Brutecat claimed in their article that Google gave them $5,000 and some merchandise in recognition of their research. Google initially classified the vulnerability as unlikely to be exploited. According to Brutecat’s report, the business subsequently raised that likelihood to medium.
