Google has stepped in to allow you to brute your account’s recovery phone number and address security flaws that could be exposed to privacy and security risks.
This issue leverages an issue with our account recovery capabilities, according to Singapore’s security researcher Brutecat.
That said, it targets Google Username Recovery form (“accounts.google(.com/signin/usernamerecovery”) which has hinged some moving parts of the vulnerability, particularly the one that lacks rebellion protection designed to prevent Spammy Requests.
The page in question is designed to allow users to check if a recovery email or phone number is associated with a specific display name (e.g. “John Smith”).
But bypassing Captcha-based rate limiting, it was finally possible to try all the permutations of Google account phone numbers in a short time, depending on the length of the phone number (depending on the country) to reach the correct number in seconds or minutes.
Additionally, attackers can use Google’s forgotten password flow to get display names by knowing the country code associated with the victim’s phone number, creating Looker Studio documents, transferring ownership to the victim, or leaking the full name to the homepage.
Overall, the exploit needs to do the following steps –
- Leak Google account display names via Looker Studio
- Run the forgotten password flow for the target email address to get the phone number masked with the last two digits displayed by the attacker (e.g. ••••03)
- Brute Force Phone Number to Brute Force Username Recovery Endpoint
Brutecat said the Singapore-based figures could leak the aforementioned techniques in five seconds, but the US numbers could be masked in about 20 minutes.
https://www.youtube.com/watch?v=am3iplyz4sw
Armed with knowledge of the phone number associated with a Google account, bad actors can control it through SIM swap attacks and ultimately reset the password for the account associated with that phone number.
Following the responsible disclosure on April 14, 2025, Google awarded researchers a $5,000 bug bounty and plugged in the vulnerability by completely removing the recovery form for non-JavaScript usernames as of June 6, 2025.
The findings come months after the same researcher could check the YouTube API for flaws and expose the weapon to expose the YouTube channel owner’s email address to the outdated web API associated with the Pixel Recorder.
Then, in March, brutecat revealed that it is possible to leverage access control issues with the “/get_creator_channels” endpoint to collect email addresses belonging to creators who are part of the YouTube Partner Program (YPP).
“The (an) /get_creator_channels access control issue leaks Channel ContentOwnAssociation, which leads to the disclosure of channel email addresses through the Content ID API,” Google said.
“Attackers who have access to Google accounts with channels that have joined the YouTube Partner Program (over 3 million channels) can get details of monetization for other channels in the YouTube Partner Program. An attacker can use this to unlock YouTubers (as YouTube has pseudo-anonymity predictions),
