Google vulnerability leaking phone numbers remediated

Google has issued a patch for a security issue impacting its account recovery feature that could be leveraged to covertly leak Google account-linked phone numbers, TechCrunch reports.

Independent security researcher brutecat was able to create an exploit that facilitated the exposure of targeted accounts' full display names while circumventing Google's anti-bot defense mechanism hindering password reset request spamming. Using a script to automate the intrusion could allow recovery number brute-forcing in a maximum time of 20 minutes, according to brutecat. Such a discovery has earned brutecat a $5,000 bounty from Google. "We've always stressed the importance of working with the security research community through our vulnerability rewards program and we want to thank the researcher for flagging this issue. Researcher submissions like this are one of the many ways we’re able to quickly find and fix issues for the safety of our users," said Google spokesperson Kimberly Samra.