Alarming Google Bug Exposes Account Phone Numbers Via Brute-Force Attack

A few weeks ago, we reported on Google adding a privacy feature that helps users remove personal information from search engines. To further protect users' personal information, Google has patched a vulnerability that allows attackers to bypass key security features and steal Google users' phone numbers.

To exploit this vulnerability, malicious actors need the victim's display name. However, since Google has removed users' display names from endpoints, accessing it without direct interaction with users should be impossible. Nevertheless, attackers can find a way around this by using sophisticated techniques to unmask a victim's display name. A security researcher demonstrated how this could be done in the video below.

Hackers will also need a hint about the victim's phone number, and they can easily get it by using the Gmail account recovery feature. For example, a number ending with 69 will have a masked phone number like ***********69 ...