This article was produced with support from WIRED.
A cybersecurity researcher was able to figure out the phone number linked to any Google account, information that is usually not public and is often sensitive, according to the researcher, Google, and 404 Media’s own tests.
The issue has since been fixed but at the time presented a privacy issue in which even hackers with relatively few resources could have brute forced their way to peoples’ personal information.
“I think this exploit is pretty bad since it’s basically a gold mine for SIM swappers,” the independent security researcher who found the issue, who goes by the handle brutecat, wrote in an email. SIM swappers are hackers who take over a target’s phone number in order to receive their calls and texts, which in turn can let them break into all manner of accounts.
In mid-April, we provided brutecat with one of our personal Gmail addresses in order to test the vulnerability. About six hours later, brutecat replied with the correct and full phone number linked to that account.
“Essentially, it’s bruting the number,” brutecat said of their process. Brute forcing is when a hacker rapidly tries different combinations of digits or characters until finding the ones they’re after. Typically that’s in the context of finding someone’s password, but here brutecat is doing something similar to determine a Google user’s phone number.
This week, we’re going to try something new at 404 Media. Which is to say…
Analyzing dark web forums to identify key experts on e-crime
Welcome back to the Abstract! Here’s some of the most intriguing studies I came across…
This is Behind the Blog, where we share our behind-the-scenes thoughts about how a few…
Imagine this: You’re on an important call, but your roommate is having a serious problem.…
ShinyHunters threat group members were arrested in a coordinated law enforcement action for their association…