Researchers discovered a flaw in Googleโs legacy recovery form that allowed brute-force attacks on user phone numbers, risking phishing and SIM-swapping. Google addressed the issue by deprecating the vulnerable endpoint, enhancing account security. #GoogleVulnerability #BruteForceAttacks
Keypoints
- A vulnerability in Googleโs no-JS recovery form enabled brute-force access to recovery phone numbers.
- Researchers used IP rotation and CAPTCHA bypass techniques to perform high-speed attacks.
- The attacker could retrieve partial phone numbers via the account recovery process, risking security breaches.
- Google fixed the vulnerability by fully deprecating the affected no-JS recovery endpoint in June 2025.
- The flawโs exploitation remains unknown, but it posed significant risks for targeted phishing and SIM swap attacks.
Views: 14