Google has acknowledged a major flaw that may lead you to believe your account and data aren’t as secure as you think. Researchers may have discovered phone numbers linked to Google accounts. If you’re one of those people who use their phone number as a security option for their Google accounts, be careful because your recovery phone number may have been leaked.
A vulnerability allowed researchers to force this phone number onto any account using only the profile name and an easily recoverable partial phone number. This is more serious than it seems, as it poses a massive risk of phishing and SIM-swapping attacks.
Google fixes major phone vulnerability
Security researcher BruteCat demonstrated this issue, having previously shown in February of this year that it was possible to expose private email addresses for YouTube accounts. The attack method involved abusing an outdated, JavaScript-disabled version of Google’s username recovery form, which lacked modern protections against abuse. This has now changed, and your phone should be more secure against these attacks.
Although the attacker obtains the phone number used to recover the Google account, which is widely used to avoid losing Gmail emails or data from Google Drive or Google Photos, it’s usually the same as the account holder’s primary phone number. There are a few cases where this isn’t the case, so a cybercriminal could have taken advantage of this to obtain multiple numbers and carry out phishing attacks, related to SIM cards, spam, and many other things.
The problem is that the username recovery form could be accessed without JavaScript, and checked whether a phone number was associated with a Google account. Through a somewhat complex process, which we won’t go into in detail, they were able to discover the phone numbers associated with Google accounts, with the risk that this entails. Google reported this issue through the Vulnerability Reward Program less than two months ago.
At first, they thought the risk of exploitation was low, but they quickly upgraded it to a medium-severity risk, fixed it, and paid the researcher. This issue has now been fixed, and it’s no longer possible to obtain Google users’ phone numbers this way. It’s not currently known whether this vulnerability was ever maliciously exploited, as the risk did exist and could have been discovered earlier, but we’d like to assume not.
The important thing is that an update has fixed it, and that’s why it’s so important to update your phones and apps whenever a new version is released, beyond just enjoying the new features it brings. Therefore, if you see a new update on your Android phone, install it as soon as possible.
