SoylentNews

Arthur T Knackerbracket [soylentnews.org] writes:

--- --- --- --- Entire Story Below - Must Be Edited --- --- --- --- --- --- ---

Arthur T Knackerbracket has processed the following story [theregister.com]:

A researcher has exposed a flaw in Google's authentication systems, opening it to a brute-force attack that left users' mobile numbers up for grabs.

The security hole, discovered [brutecat.com] by a white-hat hacker operating under the handle Brutecat, left the phone numbers of any Google user who'd logged in open to exposure. The issue was a code slip that allowed brute-force attacks against accounts, potentially enabling SIM-swapping attacks.

"This Google exploit I disclosed just requires the email address of the victim and you can get the phone number tied to the account," Brutecat told The Register.

Brutecat found that Google's account recovery process provided partial phone number hints, which could be exploited. By using cloud services and a Google Looker Studio account, the attacker was able to bypass security systems and launch a brute-force attack.

They explained in the post that "after looking through random Google products, I found out that I could create a Looker Studio document, transfer ownership of it to the victim, and the victim's display name would leak on the home page, with 0 interaction required from the victim."

The researcher also found an old-school username recovery form that worked without Javascript, which allowed them to check if a recovery email or phone number was associated with a specific display name using 2 HTTP requests.

After this, they could go "through forgot password flow for that email and get the masked phone."

Finally, a brute-forcing tool they developed as gpb would run with the display name and masked phone to unmask the phone number, using real-time libphonenumber validation [github.com] to filter out invalid number queries made to Google's API.

You can see the full process below.

Youtube Video [youtube.com] [Not reviewed by Editor]

By setting up the Looker account using a Google account name, and hiring enough cloud resources to send out false requests, the hacker was able to deduce the phone number in a remarkably short time.

"I found the flaw as it was quite surprising that they had account recovery forms that worked without JavaScript, since their anti-abuse system wouldn't work without JavaScript," Brutecat told The Register.

"Specifically, it was the fact that they were doing it per IP address limiting. But with IPv6, it's extremely easy to get your hands on trillions of IP addresses. They also had a check if you're hitting the endpoint from a dead center IP but I was able to overcome this by using a bot guard token from JavaScript."

Surprisingly, Google didn't consider this a serious flaw, awarding Brutecat $5,000 under its bug bounty scheme.

"Google was pretty receptive and promptly patched the bug," the researcher said. "By depreciating the whole form compared to my other disclosures, this was done much more quickly. That being said, the bounty is pretty low when taking into account the impact of this bug."

"This issue has been fixed," a Google spokesperson told us. "We've always stressed the importance of working with the security research community through our vulnerability rewards program and we want to thank the researcher for flagging this issue. Researcher submissions like this are one of the many ways we're able to quickly find and fix issues for the safety of our users."

Original Submission