Fact Check: A white-hat hacker known as Brutecat discovered a flaw in Google's authentication systems that allowed brute-force attacks to expose the phone numbers of Google users in October 2023.

Fact Check: "A white-hat hacker known as Brutecat discovered a flaw in Google's authentication systems that allowed brute-force attacks to expose the phone numbers of Google users in October 2023."

What We Know

In October 2023, a security researcher operating under the alias Brutecat identified a significant vulnerability in Google's authentication systems. This flaw allowed for brute-force attacks that could expose the phone numbers of Google users. The vulnerability was rooted in the account recovery process, which provided partial phone number hints that could be exploited by attackers. According to The Register, Brutecat explained that the exploit only required the email address of the victim to access their phone number tied to the account. The researcher utilized a Google Looker Studio account and cloud services to bypass security measures, leading to the exposure of phone numbers in a matter of seconds for various countries.

Brutecat's findings indicated that the flaw was due to a code oversight in Google's systems, which allowed for brute-force attempts without adequate protections. The researcher noted that the vulnerability was particularly concerning because it could facilitate SIM-swapping attacks, which are often used in identity theft scenarios (Wired). Google acknowledged the issue and awarded Brutecat $5,000 through its bug bounty program, although the researcher felt the reward was low given the potential impact of the flaw (The Register).

Analysis

The claim that Brutecat discovered a flaw in Google's authentication systems is supported by multiple credible sources. The vulnerability was confirmed by Malwarebytes and BleepingComputer, both of which reported on the nature of the flaw and its implications for user security. Furthermore, the Hacker News and Security Affairs articles corroborate the details of how the vulnerability was exploited and the methods used by Brutecat to reveal phone numbers.

Brutecat's own detailed account on their website provides a comprehensive explanation of the techniques employed to exploit the vulnerability, including the use of IPv6 to bypass rate limits and the manipulation of Google's account recovery forms (Brutecat). The technical depth of this explanation adds to the credibility of the claim, as it demonstrates a clear understanding of the systems involved.

However, it is essential to consider the potential biases of the sources. Articles from tech-focused outlets like Wired and The Register are generally reliable but may emphasize sensational aspects of the story. Nonetheless, the consistency across various reports from different outlets strengthens the overall reliability of the information.

Conclusion

The claim that Brutecat discovered a flaw in Google's authentication systems that allowed brute-force attacks to expose user phone numbers in October 2023 is True. The evidence from multiple credible sources confirms the existence of the vulnerability, the methods used to exploit it, and Google's subsequent acknowledgment and remediation of the issue.