Google Account Recovery Flaw: A Bruteforce Vulnerability Discovered

In a groundbreaking discovery, a security researcher known by the moniker “brutecat” revealed a critical vulnerability within Google’s account recovery process. This flaw, which exists in the deprecated, JavaScript-disabled version of Google’s username recovery page, allows attackers to brute-force phone numbers linked to Google accounts. The revelation underscores a serious weakness in Google’s account recovery mechanism, which had long been thought secure.

Introduction

Google, one of the largest tech companies globally, has continually updated its security measures to safeguard user data. However, even industry giants are not immune to security flaws. Recently, a researcher uncovered a method to bypass Google’s recovery system, which, in theory, could expose user information like phone numbers and email addresses. This discovery calls attention to the importance of constant monitoring and improvement of security features, especially for services that handle sensitive personal information.

the Original

A researcher known as “brutecat” discovered a critical vulnerability in Google’s account recovery system. The flaw existed in an outdated, JavaScript-disabled version of Google’s username recovery page, which lacked proper anti-abuse measures. The discovery came when the researcher disabled JavaScript in the browser and found that Google’s username recovery form still functioned. This form allowed users to check if a recovery phone number or email was linked to a specific display name.

The recovery process worked through two HTTP POST requests: the first submitted a phone number, returning a unique “ess” value, and the second, using this value and a display name, returned a response indicating whether the account existed. The researcher found that this form could be brute-forced to extract phone numbers associated with specific usernames.

While initial attempts were blocked by CAPTCHAs and rate limits, the researcher bypassed these protections using proxies and IPv6 address rotation. The breakthrough came when the researcher used a BotGuard token from the JS-enabled form, which bypassed CAPTCHA protections on the JavaScript-disabled version. This allowed for successful brute-forcing of phone numbers linked to Google accounts.

Although some challenges remained, such as identifying the

What Undercode Says:

The discovery by “brutecat” reveals significant gaps in the security architecture of Google’s account recovery system. While the brute-forcing vulnerability only affects a deprecated version of the username recovery page, the fact that it exists at all shows that even the most trusted platforms can have overlooked vulnerabilities. This particular flaw highlights a few critical issues:

1. Outdated Features: The existence of an old, unprotected recovery page shows that even tech giants can overlook maintaining older features. Google’s failure to disable or secure the JavaScript-disabled page left it vulnerable to exploitation.

2. Flawed Rate Limiting: The attempt to prevent abuse with rate limits and CAPTCHAs failed to prevent the brute-force attack. By using proxies, rotating IP addresses, and leveraging a BotGuard token, the researcher was able to circumvent these protections. This highlights the need for more robust, layered security measures that can detect and stop sophisticated attacks.

3. Accessibility of Sensitive Data: Once attackers can extract the last two digits of a phone number, as seen in this case, they can rapidly build out the full number. This kind of information, when paired with other publicly available data like a display name, is more than enough to break into accounts.

4. Speed and Efficiency of Attacks: The ability to run 40,000 brute-force checks per second using minimal resources (a \$0.30/hour server with 16 vCPUs) demonstrates how fast and efficient brute-force attacks can be, even against strong systems like Google’s. It becomes evident that Google’s security measures were not optimized to counteract the scale and speed of modern attacks.

This discovery serves as a warning to all tech companies about the importance of regularly auditing old systems and ensuring that they are adequately secured, even if they are no longer actively used.

Fact Checker Results ✅

1. JavaScript-Disabled Recovery Page Vulnerability: ✅ The researcher demonstrated that the outdated version of Google’s recovery page lacked anti-abuse mechanisms, leading to successful brute-forcing of phone numbers.
2. Bypassing CAPTCHAs: ✅ The researcher successfully bypassed CAPTCHA protections using a BotGuard token and other methods, highlighting a flaw in Google’s rate-limiting system.
3. Phone Number Guessing Feasibility: ✅ The attack was able to reveal phone numbers associated with Google accounts in mere seconds or minutes, depending on available information.

Prediction 🔮

Given the rise in security threats targeting even large tech giants like Google, it is likely that more vulnerabilities in Google’s older systems will continue to surface. As technology and hacking techniques evolve, platforms that do not regularly audit their older features may face more sophisticated breaches. Google will likely patch this flaw in future updates to its recovery process, but other potential vulnerabilities may exist in less-obvious areas, such as backup authentication methods or other deprecated services. As cyberattacks grow in complexity and speed, it’s crucial for companies to implement proactive, multi-layered defenses across all their services, old and new, to ensure the safety of user data.

References:

Reported By: securityaffairs.com
Extra Source Hub:
https://www.twitter.com
Wikipedia
Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram