A vulnerability was discovered in Google's account recovery form, allowing the brute forcing of Google users' phone numbers when JavaScript is disabled.
The exploit involves using HTTP requests to verify if a Google account is associated with a given phone number and display name combination.
The vulnerability could bypass Google’s rate limiting measures by using IPv6 address rotation, which provides a large number of possible IP addresses.
A potential proof of concept showed the exploitation process could find user phone numbers if the display name and some phone digits are known.
Despite attempts to mitigate, a workaround involving manipulating the botguard token from a JavaScript-enabled form enabled successful exploitation.
The report emphasizes the process's complexity and mentions that Google has since addressed the issue and rolled out mitigations.
Get notified when new stories are published for "🇺🇸 Hacker News English"