Google Patches Bug Exposing Recovery Phone Numbers

A security vulnerability in Google's account recovery system allowed attackers to brute-force users' private recovery phone numbers by exploiting a legacy non-JavaScript username recovery form. The flaw, discovered by researcher brutecat, involved bypassing Google's anti-bot protections and rate limits using IPv6 address rotation and automation, enabling the retrieval of phone numbers linked to Google accounts in minutes. This leak poses significant privacy and security risks, including SIM swapping, targeted phishing, and account takeovers, as phone numbers are critical for two-factor authentication and account recovery. Google confirmed the issue, awarded brutecat a bug bounty after initial reluctance, and has since fully deprecated the vulnerable recovery form to close this attack vector. Users are advised to remove their phone numbers from two-factor authentication settings and instead use hardware-based 2FA methods such as passkeys or authenticator apps for enhanced security. The exploit has not been known to be actively exploited, but the proof of concept highlights the importance of cautious account security practices.