A cybersecurity researcher was able to figure out the phone number linked to any Google account, information that is usually not public and is often sensitive, according to the researcher, Google, and 404 Media's own tests.
The issue has since been fixed but at the time presented a privacy issue in which even hackers with relatively few resources could have brute forced their way to peoples' personal information.
“I think this exploit is pretty bad since it's basically a gold mine for SIM swappers,” the independent security researcher who found the issue, who goes by the handle brutecat, wrote in an email. SIM swappers are hackers who take over a target's phone number in order to receive their calls and texts, which in turn can let them break into all manner of accounts.
In mid-April, we provided brutecat with one of our personal Gmail addresses in order to test the vulnerability. About six hours later, brutecat replied with the correct and full phone number linked to that account.
“Essentially, it's bruting the number,” brutecat said of their process. Brute forcing is when a hacker rapidly tries different combinations of digits or characters until finding the ones they're after. Typically that's in the context of finding someone's password, but here brutecat is doing something similar to determine a Google user's phone number.
Brutecat said in an email the brute forcing takes around one hour for a U.S. number, or 8 minutes for a UK one. For other countries, it can take less than a minute, they said.
In an accompanying video demonstrating the exploit, brutecat explains an attacker needs the target's Google display name. They find this by first transferring ownership of a document from Google's Looker Studio product to the target, the video says. They say they modified the document's name to be millions of characters, which ends up with the target not being notified of the ownership switch. Using some custom code, which they detailed in their write up, brutecat then barrages Google with guesses of the phone number until getting a hit.
“The victim isn't notified at all :)” a caption in the video reads.
A Google spokesperson told 404 Media in a statement “This issue has been fixed. We've always stressed the importance of working with the security research community through our vulnerability rewards program and we want to thank the researcher for flagging this issue. Researcher submissions like this are one of the many ways we're able to quickly find and fix issues for the safety of our users.”
Phone numbers are a key piece of information for SIM swappers. These sorts of hackers have been linked to countless hacks of individual people in order to steal online usernames or cryptocurrency. But sophisticated SIM swappers have also escalated to targeting massive companies. Some have worked directly with ransomware gangs from Eastern Europe.
Armed with the phone number, a SIM swapper may then impersonate the victim and convince their telecom to reroute text messages to a SIM card the hacker controls. From there, the hacker can request password reset text messages, or multi-factor authentication codes, and log into the victim's valuable accounts. This could include accounts that store cryptocurrency, or even more damaging, their email, which in turn could grant access to many other accounts.
On its website, the FBI recommends people do not publicly advertise their phone number for this reason. “Protect your personal and financial information. Don't advertise your phone number, address, or financial assets, including ownership or investment of cryptocurrency, on social media sites,” the site reads.
In their write-up, brutecat said Google awarded them $5,000 and some swag for their findings. Initially, Google marked the vulnerability as having a low chance of exploitation. The company later upgraded that likelihood to medium, according to brutecat's write-up.
