A critical security vulnerability in Google’s legacy account recovery system allowed attackers to obtain the phone numbers of Google users through a highly efficient brute-force attack, as disclosed by a security researcher. The flaw specifically targeted a No-JavaScript (No-JS) version of the username recovery form, which had outdated security protections. This allowed attackers to systematically test and verify whether specific phone numbers were linked to particular Google account display names, thus enabling phone number enumeration. Google patched the vulnerability after being alerted in April 2025 and eventually removed the entire No-JS recovery feature by June 6, 2025.

According to the Researcher, the exploit unfolded in three distinct steps. First, attackers used Google Looker Studio to extract a victim’s display name by transferring document ownership, which leaked user names without interaction. Then, they accessed Google’s “Forgot Password” flow to retrieve a partial phone number, typically showing only the final few digits. Finally, a custom-built brute-forcing tool dubbed “gpb” was used to test phone number combinations, cross-checking them with the previously obtained display names to identify full phone numbers. This chain of actions enabled attackers to breach user privacy with minimal resistance.

What made the attack particularly powerful was the researcher’s ability to bypass Google’s security mechanisms. The attacker leveraged vast IPv6 address pools, offering over 18 quintillion unique IP addresses to rotate request origins and effectively circumvent rate-limiting protections. Additionally, botguard tokens obtained from JavaScript-enabled sessions were repurposed to sidestep CAPTCHA challenges in the No-JS environment, rendering automated brute-force attacks feasible at scale. The researcher achieved speeds of up to 40,000 verification attempts per second using a low-cost server, enabling rapid phone number extraction depending on the target’s country.

Google responded swiftly after disclosure, first applying temporary mitigation measures and eventually retiring the vulnerable endpoint. Initially, the company awarded the researcher a bounty of $1,337 but increased it to $5,000 after an appeal emphasized the attack’s sophistication, stealth, and lack of prerequisites. The incident underscores the critical risks posed by outdated or forgotten web endpoints and serves as a reminder of the necessity for comprehensive and ongoing security audits, particularly of legacy systems that may be overlooked during standard development and monitoring practices.