Google account hacking — researcher learned how to find out any phone number

Cybersecurity researcher has learned to identify any phone number for hacking Google accounts. The method has been tested by 404 Media and Wired.

It’s worth noting that Google has already patched the vulnerability. At the time of its discovery, it posed a real threat to privacy because the number was determined very quickly. Even a novice hacker with relatively few resources could do it.

Journalists asked Brutecat to hack one of their personal Gmail addresses as a verification. About six hours later, he provided the correct and complete number associated with that account.

The method is based on number brute-forcing with some preparatory steps. Phone brute-forcing has proven to be extremely efficient: the search takes about an hour for a US number or only eight minutes for a UK number. For numbers from other countries, it can take less than a minute.

First, the attacker needs a Google username. In his video, the researcher demonstrates a way to get it. He transfers ownership of a Google Looker Studio document to the target. If the document name contains 1 million characters, the victim is not notified of the change of ownership. Using an auxiliary code, the experimenter bombards Google with phone number variants until he gets a result. «The victim is not notified at all», — Brutecat writes.

This is followed by the usual fraud attempts to reissue the SIM card, during which the attacker must convince the operator. Usually, to prevent such hacks, the US FBI and other law enforcement agencies recommend not using a publicly known number to register accounts — but this warning is ineffective when brute force is used.

The researcher said that Google awarded him $5000 for discovering the vulnerability and some more for certain findings. Initially, Google labeled the vulnerability as having a low probability of exploitation, but later it was upgraded to medium. The vulnerability is now closed.