Google recently patched a series of vulnerabilities that could have been exploited to obtain the phone number of any user.
Details of the exploit were made public on Monday by the Singapore-based researcher who reported it to the tech giant.
The researcher, who uses the online monikers Brutecat and Skull, said he came across the vulnerabilities after disabling JavaScript in his browser in an effort to determine whether any Google services still worked without JavaScript.
He found that account recovery forms still worked, and they also allowed him to check — using two HTTP requests — whether a recovery email address or phone number was associated with a specified account display name.
Further tests showed that he could also obtain the actual phone number associated with a specified display name through a brute-force attack. Google’s rate limiting protections were bypassed by using different IPv6 addresses for each request and a BotGuard token obtained from Google.
In order to leverage this for a practical exploit that would enable him to obtain any user’s phone number, the researcher also needed a way to obtain the display name associated with a given Gmail address.
He achieved this by abusing a Google service named Looker Studio, designed for converting data into reports and dashboards. Creating a Looker Studio document and transferring its ownership to the targeted user’s email address would result in the victim’s display name being shown.
When all of this was put together, an attacker who knew the targeted user’s email address could have leveraged Looker Studio to obtain their display name, which could then be used through the password recovery page to obtain a masked phone number (last two digits), which could then be brute-forced to obtain the full phone number.
Phone numbers may be considered highly sensitive information, often being targeted in social engineering and other types of attacks.
The researcher has created a video showing the exploit in action:
According to tests conducted by Brutecat, a US phone number could have been obtained in roughly 20 minutes, a UK number in 4 minutes, and Netherlands and Singapore numbers could be brute-forced in seconds — all of this by renting a server at a cost of $0.30/hour.
Google was informed about the vulnerabilities in mid-April and rolled out mitigations in May and early June. The tech giant awarded Brutecat a $5,000 bug bounty for his findings.
In March, the researcher disclosed the details of a YouTube vulnerability that exposed the email addresses of content creators, for which he earned a $20,000 bug bounty.
Related: HPE Patches Critical Vulnerability in StoreOnce
Related: Google Researchers Find New Chrome Zero-Day
Related: Vulnerabilities in CISA KEV Are Not Equally Critical
