A Researcher Figured Out How To Reveal Any Phone Number Linked To a Google Account (wired.com) 17
A cybersecurity researcher was able to figure out the phone number linked to any Google account, information that is usually not public and is often sensitive, according to the researcher, Google, and 404 Media's own tests. From a report: The issue has since been fixed but at the time presented a privacy issue in which even hackers with relatively few resources could have brute forced their way to peoples' personal information. "I think this exploit is pretty bad since it's basically a gold mine for SIM swappers," the independent security researcher who found the issue, who goes by the handle brutecat, wrote in an email.
[...] In mid-April, we provided brutecat with one of our personal Gmail addresses in order to test the vulnerability. About six hours later, brutecat replied with the correct and full phone number linked to that account. "Essentially, it's bruting the number," brutecat said of their process. Brute forcing is when a hacker rapidly tries different combinations of digits or characters until finding the ones they're after. Typically that's in the context of finding someone's password, but here brutecat is doing something similar to determine a Google user's phone number.
Brutecat said in an email the brute forcing takes around one hour for a U.S. number, or 8 minutes for a UK one. For other countries, it can take less than a minute, they said. In an accompanying video demonstrating the exploit, brutecat explains an attacker needs the target's Google display name. They find this by first transferring ownership of a document from Google's Looker Studio product to the target, the video says. They say they modified the document's name to be millions of characters, which ends up with the target not being notified of the ownership switch. Using some custom code, which they detailed in their write up, brutecat then barrages Google with guesses of the phone number until getting a hit.
[...] In mid-April, we provided brutecat with one of our personal Gmail addresses in order to test the vulnerability. About six hours later, brutecat replied with the correct and full phone number linked to that account. "Essentially, it's bruting the number," brutecat said of their process. Brute forcing is when a hacker rapidly tries different combinations of digits or characters until finding the ones they're after. Typically that's in the context of finding someone's password, but here brutecat is doing something similar to determine a Google user's phone number.
Brutecat said in an email the brute forcing takes around one hour for a U.S. number, or 8 minutes for a UK one. For other countries, it can take less than a minute, they said. In an accompanying video demonstrating the exploit, brutecat explains an attacker needs the target's Google display name. They find this by first transferring ownership of a document from Google's Looker Studio product to the target, the video says. They say they modified the document's name to be millions of characters, which ends up with the target not being notified of the ownership switch. Using some custom code, which they detailed in their write up, brutecat then barrages Google with guesses of the phone number until getting a hit.
fail2ban, anyone? (Score:1)
More like an HR failure at Google. This is just insane.
Re: fail2ban, anyone? (Score:3)
Why shouldn't I be able to try any of your web server scripts millions of times per second? Surely not automated! Lol....
Is there _anybody_ that gets IT security right? (Score:2)
It seems they all mess up. Time for real penalties large enough that make it worthwhile hiring actual experts and letting them do it right. Otherwise this crap will continue and it is getting unsustainable.
Re: (Score:2)
Yes.
The people that don't give their phone numbers to random web services do.
Or those who use throw-away phone numbers when they need to register a phone.
Re: (Score:2)
That is just dumb. The reason they want that phone number is because without it their crappy security gets _worse_.
Re: (Score:2)
You're not the sharpest tool in the drawer if you really think so.
The real reason they want your mobile phone number is to track you.
These tend to be unique and nearly permanent.
Re: Is there _anybody_ that gets IT security right (Score:2)
Re: (Score:2)
You can always travel to Switzerland and renounce your citizenship. Here's how to get started:
https://ch.usembassy.gov/u-s-c... [usembassy.gov]
I'll check back in a few weeks to see how you're progressing.
Re: (Score:2)
Most regular people won't have the knowledge of the tricks, or persistence to apply them at every login when google makes a point to tell you your account isn't safe without a number associated, and does not offer you an alternative on the screen. What I do when this happens is to ignore this screen, open another navigator tab, and it accepts it as an "ignored" answer.
Also, there are websites that don't let you use the services without a phone number associated, e.g. banks, airlines, delivery services.
Re: (Score:2)
Goole is very much subject to the GDPR. Lying would get _very_ expensive.
Re: (Score:3)
It seems they all mess up. Time for real penalties large enough that make it worthwhile hiring actual experts and letting them do it right. Otherwise this crap will continue and it is getting unsustainable.
No, no one get security right, and they never will. Security is hard and even actual experts make mistakes.
The best you can do is to expect companies to make a good effort to avoid vulnerabilities and to run vulnerability reward programs to incentivize researchers to look for and report bugs, then promptly reward the researchers and fix the vulns.
And that's exactly what Google does, and what Google did. Google does hire lots of actual security experts and has lots of review processes intended to check
Re: Is there _anybody_ that gets IT security right (Score:2)
Come on, be real. It's a systemic problem of any big company/product. Once the product becomes of a certain size and you've got too many people/teams working on the same code base, no one has any coherent knowledge of what's going on inside. It becomes a parchwork; impossible to control.
Glad I never linked my phone number (Score:1)
I already knew security of 2FA using SMS was weak, but now it's been weakened even further.
I'm glad I never have linked my phone number to my Google account, but Google still won't stop pestering me to do that even though it's clearly going to weaken the security of my account.
Google, please stop asking for my phone number.
Actual link (Score:5, Informative)
Actual content: Bruteforcing the phone number of any Google user [brutecat.com]
Not that 404 paywalled crap.
Don't allow gajillion tries, dammit! (Score:2)
Accessing a key should always be throttled, and locked out if a threshold is reached.