<ul><li>Google has fixed a critical bug in its account recovery system that exposed users' private phone numbers, allowing attackers to brute-force recovery phone numbers tied to Google accounts without alerting owners.</li><li>Security researcher discovered the flaw in Google's legacy non-JavaScript recovery form, enabling attackers to guess full phone numbers linked to Google accounts in a short time frame.</li><li>The vulnerability raised concerns about privacy and potential SIM swapping attacks, as exposing private phone numbers can lead to account hijacking through intercepting SMS-based authentication.</li><li>Google responded promptly by deprecating the flawed recovery pathway, issuing a bug bounty payout, and advising users to review and update their recovery phone numbers with stronger authentication methods.</li></ul>

Google Patches Critical Flaw That Exposed Private Phone Numbers

Discover more