Researchers figure out how to reveal any phone number linked to Google accounts
Cybersecurity Researchers According to researchers, Google and 404 Media’s own tests, they are able to find phone numbers related to any Google account, which are usually not public and are often sensitive.
The issue has since been resolved, but a privacy issue was raised at the time that even hackers with relatively few resources could force them into people’s personal information.
“I think this vulnerability is very bad because it’s basically a gold mine for SIM exchangers,” independent security researchers found BruteCat’s problem through handles, he wrote in an email. SIM Swappers are hackers who take over the target phone number to receive their calls and text messages, which in turn can break them down into various accounts.
In mid-April, we provided BruteCat with one of our personal Gmail addresses to test for vulnerabilities. About six hours later, Brutecat responded with the correct and complete phone number linked to the account.
“Essentially, it’s in the number of responsibility,” Brut Carter said of their process. Brute force is when a hacker quickly tries different numbers or combinations of characters until he finds the number he is pursuing. Usually, this is in the context of finding someone’s password, but here, BruteCat is doing something similar to determine the phone number of Google users.
Brutecat said in an email that brute force takes about an hour of US numbers, while brute force in the UK takes eight minutes. For other countries, they say, it may take less than a minute.
BruteCat demonstrates the attack in the included video, where the attacker needs the Google display name of the target. The video says they first shifted ownership of the document from Google’s Looker Studio product to the target. They said they modified the name of the document to millions of characters and ended up not receiving the target of the ownership switch. Using some custom code, they go into detail in the write, then Brutecat barl barge Google guesses with phone number until it gets hit.
The title in the video reads: “The victim was not notified at all :).
A Google spokesperson told 404 Media in a statement: “This problem has been resolved. We have always emphasized the importance of working with the security research community through our vulnerability rewards program, and we would like to thank the researchers for marking this issue. Such researchers submit comments are one of the many ways we can quickly find and address user security issues.”
Phone number is the key information for Sim switches. These hackers are associated with countless individual hackers to steal online usernames or cryptocurrencies. However, the sophisticated SIM switchers have also been upgraded to target large companies. Some people work directly with ransomware gangs from Eastern Europe.
Equipped with a phone number, the SIM switch may impersonate the victim and convince their telecom to relocate the text messages into the SIM card for hacker control. From there, hackers can request password reset text messages or multi-factor authentication codes and log in to the victim’s valuable account. This could include accounts that store cryptocurrencies, and even more destructive emails that in turn can grant access to many other accounts.
The FBI advises on its website that people do not publicly advertise their phone numbers. “Protect your personal and financial information. Do not promote your phone number, address or financial assets, including ownership or investment in cryptocurrencies, on social media sites.”
Brutecat said in his writing that Google awarded them a $5,000 bonus and provided some swag for their discovery. Initially, Google had a slim chance of marking a vulnerability as exploitation. According to Brutecat’s article, the company later upgraded the possibility to medium.
