Bruteforcing the phone number of any Google user
a year ago
- #brute-force
- #vulnerability
- #security
- Discovered a vulnerability in Google's username recovery form that works without JavaScript.
- The form allows checking if a recovery phone number is associated with a display name via two HTTP requests.
- Initial attempts to brute-force were thwarted by IP-based rate limiting and CAPTCHAs.
- Explored using IPv6 to bypass rate limits by rotating IP addresses for each request.
- Discovered that using a BotGuard token from the JS-enabled form bypassed request limits on the No-JS form.
- Developed a proof-of-concept tool (gpb) to brute-force phone numbers using display names and phone hints.
- Identified methods to leak Google account display names via Looker Studio and determine country codes from phone masks.
- Optimized the brute-forcing process with libphonenumber validation and real-time BotGuard token generation.
- Achieved brute-forcing speeds of ~40k checks per second, reducing time required based on country code.
- Reported the vulnerability to Google, leading to a $5,000 bounty and eventual deprecation of the No-JS form.