A now-patched vulnerability in Google's account recovery system briefly opened the door to a subtle but powerful form of data exposure, allowing determined attackers to retrieve a user's private recovery phone number without their knowledge. The weakness, while no longer active, once relied on a series of overlooked interactions between separate account features rather than a single critical flaw—a method that made it difficult to detect and even harder to trace.
The issue came to light after an independent researcher, operating under the name Brutecat, noticed that one of Google's recovery forms continued to function even when JavaScript was disabled. This small detail, seemingly harmless at first glance, proved to be the foundation of a broader attack chain. By using this non-scripted version of the form, it became possible to query whether a given phone number or email address was linked to a specific Google display name, a process that unintentionally provided attackers with confirmation about the validity of recovery methods tied to individual accounts.
Once that connection was established, the next step involved the standard password reset process, which displayed a partially hidden version of the associated phone number. While the masked format protected most of the digits, enough information remained visible to guide a targeted brute-force approach—particularly when the attacker already knew the victim's country of residence. With the international dialing code fixed, the number of unknown digits dropped to as few as six or seven, a range that could be cracked in a matter of seconds by running automated scripts on relatively modest hardware.
To improve the accuracy of the attack, the researcher also found a creative way to extract a user's full name by exploiting a function within Looker Studio, Google's data visualization platform. By creating a shared document and transferring ownership to the target account, it triggered the appearance of the user’s complete display name in the interface. This detail, when combined with the earlier methods, allowed the attacker to craft highly specific requests that reduced guesswork and accelerated the brute-force phase of the exploit.
Testing revealed that the process was not only effective but alarmingly fast. With a simple server setup, the researcher demonstrated that thousands of number combinations could be tested every second. In some countries, the full recovery number could be exposed in under half a minute. For others, it took just a few minutes longer—still well within the range of practical exploitation.
Although the underlying flaw has since been addressed, with Google confirming the deactivation of the vulnerable endpoint and implementation of additional safeguards, the incident underscores how separate components of a digital ecosystem can be manipulated in tandem to bypass intended protections. While no known widespread abuse occurred before the fix was deployed, the method serves as a reminder that security is not only about strong individual barriers but also about how those barriers connect.
Read next: Apple Overhauls Software Aesthetics, Launches AI Tools and Developer Upgrades in Privacy-Centered WWDC 2025 Refresh
The issue came to light after an independent researcher, operating under the name Brutecat, noticed that one of Google's recovery forms continued to function even when JavaScript was disabled. This small detail, seemingly harmless at first glance, proved to be the foundation of a broader attack chain. By using this non-scripted version of the form, it became possible to query whether a given phone number or email address was linked to a specific Google display name, a process that unintentionally provided attackers with confirmation about the validity of recovery methods tied to individual accounts.
Once that connection was established, the next step involved the standard password reset process, which displayed a partially hidden version of the associated phone number. While the masked format protected most of the digits, enough information remained visible to guide a targeted brute-force approach—particularly when the attacker already knew the victim's country of residence. With the international dialing code fixed, the number of unknown digits dropped to as few as six or seven, a range that could be cracked in a matter of seconds by running automated scripts on relatively modest hardware.
To improve the accuracy of the attack, the researcher also found a creative way to extract a user's full name by exploiting a function within Looker Studio, Google's data visualization platform. By creating a shared document and transferring ownership to the target account, it triggered the appearance of the user’s complete display name in the interface. This detail, when combined with the earlier methods, allowed the attacker to craft highly specific requests that reduced guesswork and accelerated the brute-force phase of the exploit.
Testing revealed that the process was not only effective but alarmingly fast. With a simple server setup, the researcher demonstrated that thousands of number combinations could be tested every second. In some countries, the full recovery number could be exposed in under half a minute. For others, it took just a few minutes longer—still well within the range of practical exploitation.
Although the underlying flaw has since been addressed, with Google confirming the deactivation of the vulnerable endpoint and implementation of additional safeguards, the incident underscores how separate components of a digital ecosystem can be manipulated in tandem to bypass intended protections. While no known widespread abuse occurred before the fix was deployed, the method serves as a reminder that security is not only about strong individual barriers but also about how those barriers connect.
Read next: Apple Overhauls Software Aesthetics, Launches AI Tools and Developer Upgrades in Privacy-Centered WWDC 2025 Refresh
