Popular:
Virtualization DNS security formal verification reachability analysis compiler errors macro conflict web extension development framework Bitmap Graphics API inconsistencies All Tags

Exploiting a Google Account Recovery Flaw: Brute-forcing Phone Numbers with IPv6 and BotGuard Tokens

2025-06-09
Exploiting a Google Account Recovery Flaw: Brute-forcing Phone Numbers with IPv6 and BotGuard Tokens

A security researcher discovered a vulnerability in Google's account recovery process, allowing attackers to brute-force phone numbers to gain access to user accounts. The vulnerability exploited the fact that the account recovery form still worked with JavaScript disabled, bypassing Google's rate limiting and CAPTCHAs using IPv6 IP rotation and BotGuard tokens. Attackers first obtain the target's name via Looker Studio, then use the password reset flow to get the phone number suffix. A custom program then uses proxies for brute-forcing, revealing the full phone number. Google has since patched the vulnerability.

Read more
(brutecat.com)
Tech account security

Critical YouTube Flaw Leaks User Emails via Pixel Recorder

2025-02-12
Critical YouTube Flaw Leaks User Emails via Pixel Recorder

A critical vulnerability in YouTube allows attackers to leak the email address of any YouTube user by exploiting the Google Pixel Recorder service. The attack chain involves first obtaining the user's obfuscated Gaia ID through YouTube's /get_item_context_menu endpoint. Then, by leveraging Pixel Recorder's sharing functionality and bypassing notification mechanisms, the attacker converts the Gaia ID into the email address. While the exploit requires a complex chain of steps, its impact is significant, resulting in a $10,500 bounty from Google.

Read more
(brutecat.com)
Tech YouTube vulnerability privacy leak