Google Vulnerability Allowed Hackers to Access User Phone Numbers

A security researcher has disclosed a critical vulnerability in Google’s account recovery system that allowed attackers to brute-force and obtain the phone numbers of any Google user.

The vulnerability , discovered in 2025, exploited Google’s username recovery form that continued to function without JavaScript, bypassing modern security protections and enabling systematic phone number enumeration attacks.

The vulnerability emerged when the researcher discovered that Google’s username recovery form still functioned with JavaScript disabled, contrary to expectations that such forms required complex botguard solutions since 2018.

The attack leveraged two critical HTTP requests to Google’s accounts system, first submitting a phone number to generate an “ess” value, then using that value to verify if a Google account existed with specific display names.

Initially, the system appeared protected through IP-based rate limiting and CAPTCHA challenges.

However, the researcher circumvented these protections using IPv6 address rotation, exploiting the vast address space provided by /64 IP ranges that offered over 18 quintillion available addresses.

The breakthrough came when replacing the “js_disabled” parameter with legitimate botguard tokens from JavaScript-enabled forms, effectively removing request limits while maintaining functionality.

Google Vulnerability

The complete attack chain required three key components to successfully extract phone numbers.

First, attackers needed to obtain the target’s Google account display name, which the researcher discovered could be leaked through Google’s Looker Studio by creating documents and transferring ownership to victims.

Second, the forgot password flow provided masked phone number hints showing the last few digits, such as “- – – – – – – – 03” for Netherlands numbers.

With this information, attackers could systematically brute-force phone numbers using the researcher’s custom tool called “gpb.”

The process involved generating valid phone number combinations based on country-specific formatting rules and mobile prefixes, then testing each number against Google’s recovery system.

Using consumer-grade hardware costing $0.30 per hour, the researcher achieved approximately 40,000 verification attempts per second, making even large-scale attacks feasible.

The time required varied significantly by country due to different phone number formats. United States numbers required approximately 20 minutes to brute-force with only the last two digits known, while smaller countries like Singapore needed just 5 seconds.

Additional phone number hints from other services like PayPal could dramatically reduce attack time by providing more known digits.

Google’s Response and Security Implications

According to Report, Google initially awarded the researcher $1,337 plus promotional items, citing low exploitation likelihood.

However, following an appeal emphasizing the attack’s lack of prerequisites and undetectable nature, Google increased the total reward to $5,000.

The company implemented immediate mitigations while working toward complete endpoint deprecation.

The vulnerability timeline spanned from the initial April 2025 report through full resolution by June 2025, when Google confirmed the No-JavaScript username recovery form had been completely deprecated.

This case highlights the ongoing security challenges posed by legacy system compatibility and the sophisticated methods attackers employ to bypass modern protections through seemingly innocuous features.