Google Vulnerability Allowed Hackers to Access User Phone Numbers

A security researcher has disclosed a critical vulnerability in Google’s account recovery system that allowed attackers to brute-force and obtain the phone numbers of any Google user.

The vulnerability , discovered in 2025, exploited Google’s username recovery form that continued to function without JavaScript, bypassing modern security protections and enabling systematic phone number enumeration attacks.

The vulnerability emerged when the researcher discovered that Google’s username recovery form still functioned with JavaScript disabled, contrary to expectations that such forms required complex botguard solutions since 2018.

The attack leveraged two critical HTTP requests to Google’s accounts system, first submitting a phone number to generate an “ess” value, then using that value to verify if a Google account existed with specific display names.

Initially, the system appeared protected through IP-based rate limiting and CAPTCHA challenges.

However, the researcher circumvented these protections using IPv6 address rotation ...