Hacking Google Support: Leaking call logs and deanonymising agents
9 hours ago
- #Bug Bounty
- #Security Vulnerability
- #Data Leak
- A security researcher discovered a vulnerability in Google's Real-time Support API that allowed unauthorized access to millions of customer support records and agent information.
- The vulnerability was found in the changes.list endpoint, which leaked private data including customer names, phone numbers, and agent details like email addresses and activity status.
- The issue was responsibly disclosed to Google's Vulnerability Rewards Program, fixed after 164 days, and rewarded with a $14,337 bounty.
- Exploiting the flaw required minimal authentication (any Google account) and could lead to targeted phishing attacks by linking customer data to specific support interactions.
- The discovery highlights security risks in internal APIs and demonstrates how standardized Google infrastructure can be leveraged to uncover hidden attack surfaces.