Google has patched a major security flaw that could’ve exposed users’ recovery phone numbers, thanks to a responsible researcher’s discovery.
The bug, disclosed in April 2025, posed serious risks including SIM swapping and account takeovers via brute-force exploitation.
A major security vulnerability in Google’s account recovery system that could have exposed the private recovery phone numbers of millions of users has been patched, following a responsible disclosure by an independent researcher.
The researcher, who goes by the pseudonym brutecat, uncovered the flaw in April 2025 and reported it to Google before publicly disclosing the details. The bug, if exploited, would have allowed bad actors to reveal a user’s linked phone number within minutes, without notifying the account holder, putting users at heightened risk of targeted attacks, including SIM swapping and account takeovers.
The exploit hinged on a carefully constructed attack chain, combining several weaknesses in Google’s account recovery feature. It involved leaking the full display name of a target and bypassing Google’s anti-bot protections, including rate limits intended to block brute-force attacks. Once these safeguards were bypassed, the attacker could iterate through different phone number combinations until the correct one was revealed.
According to Brutecat, a simple automated script was enough to carry out the attack, allowing the brute-forcing of a phone number in 20 minutes or less. To verify the exploit, TechCrunch created a fresh Google account using an unused phone number. After providing Brutecat with the email address, the researcher quickly returned with the correct phone number, confirming the severity of the vulnerability.
Such a flaw could have major repercussions. Recovery phone numbers are a critical layer of account security. If compromised, they can be used in attacks like SIM swaps, where hackers trick telecom providers into transferring a victim’s number to a new SIM card. With control over the number, attackers can intercept security codes and reset account passwords, giving them full access to sensitive data, emails, and financial accounts.
Google has since confirmed the issue has been fixed and emphasised its commitment to working closely with security researchers through its Vulnerability Rewards Program.
“This issue has been fixed. We’ve always stressed the importance of working with the security research community through our vulnerability rewards program, and we want to thank the researcher for flagging this issue,” said Google spokesperson Kimberly Samra.
Samra added that there were “no confirmed, direct links to exploits at this time”, indicating that the bug was not known to have been actively exploited by malicious actors before its discovery.
For identifying and reporting the bug, Brutecat was awarded $5,000 under Google’s bug bounty program, a reward that, while modest, underscores the value of vigilant security research in protecting billions of users globally.
The incident serves as a reminder of the constant cat-and-mouse game in cybersecurity, where even the most robust systems can harbor hidden vulnerabilities. It also highlights the essential role played by ethical hackers who responsibly report flaws, ensuring they are patched before they can be abused.
