Popular:
Virtualization DNS security formal verification reachability analysis compiler errors macro conflict web extension development framework Bitmap Graphics API inconsistencies All Tags

Exploiting a Google Account Recovery Flaw: Brute-forcing Phone Numbers with IPv6 and BotGuard Tokens

2025-06-09
Exploiting a Google Account Recovery Flaw: Brute-forcing Phone Numbers with IPv6 and BotGuard Tokens

A security researcher discovered a vulnerability in Google's account recovery process, allowing attackers to brute-force phone numbers to gain access to user accounts. The vulnerability exploited the fact that the account recovery form still worked with JavaScript disabled, bypassing Google's rate limiting and CAPTCHAs using IPv6 IP rotation and BotGuard tokens. Attackers first obtain the target's name via Looker Studio, then use the password reset flow to get the phone number suffix. A custom program then uses proxies for brute-forcing, revealing the full phone number. Google has since patched the vulnerability.

(brutecat.com)
Tech account security
Gödel Prize Awarded for Breakthrough in Explicit Two-Source Extractors
The Trillion-Dollar Gamble: Generative AI's Costly Uncertainty