<ul><li>A vulnerability was discovered that could potentially allow for the recovery of the phone number associated with any Google account through a brute force attack.</li><li>The flaw was found in a deprecated, JavaScript-disabled version of Google's username recovery page that lacked anti-abuse protections.</li><li>By bypassing CAPTCHA rate limits and using BotGuard tokens, an attacker could rapidly test combinations of a user's phone number, revealing recovery details linked to a Google account display name.</li><li>After reporting the issue to the vendor, a reward was given to the security researcher, and mitigations were rolled out to address the vulnerability.</li></ul>

A flaw could allow recovery of the phone number associated with any Google account

Discover more