TF
TruthOrFake
Fact Check: Brutecat found that Google's account recovery forms worked without JavaScript, which contributed to the vulnerability.

Fact Check: Brutecat found that Google's account recovery forms worked without JavaScript, which contributed to the vulnerability.

June 14, 2025by TruthOrFake AI
VERDICT
True

# Fact Check: "Brutecat found that Google's account recovery forms worked without JavaScript, which contributed to the vulnerability." ## What We Kno...

Fact Check: "Brutecat found that Google's account recovery forms worked without JavaScript, which contributed to the vulnerability."

What We Know

The claim centers around a vulnerability discovered by a security researcher known as Brutecat, who reported that Google's account recovery forms could function without JavaScript enabled. This finding was surprising because, historically, these forms relied on JavaScript for anti-abuse measures, particularly through a system called BotGuard, which used obfuscated JavaScript code to prevent automated attacks (Bruteforcing the phone number of any Google user).

Brutecat detailed a process where the username recovery form allowed users to check if a recovery email or phone number was associated with a specific display name using just two HTTP requests, even when JavaScript was disabled. This capability was exploited to potentially uncover users' phone numbers through brute-force methods (Google brute-force attack exposes phone numbers in ...).

Analysis

The evidence provided by Brutecat is credible, as it is supported by detailed technical descriptions of the vulnerability and the methods used to exploit it. The researcher explicitly noted that the account recovery forms worked without JavaScript, which was unexpected given the reliance on JavaScript for security in previous iterations of the service (Bruteforcing the phone number of any Google user).

Multiple reputable sources corroborate the existence of this vulnerability. For instance, reports from Malwarebytes and Dark Reading confirm that the flaw allowed attackers to brute-force phone numbers tied to Google accounts, emphasizing the implications for user privacy and security.

However, it is important to consider the context of the reporting. While Brutecat's findings were significant, Google responded by patching the vulnerability quickly and awarding the researcher $5,000 as part of their bug bounty program, indicating that they took the issue seriously (Google fixes bug that could reveal users' private phone ...).

The reliability of the sources reporting on this incident is generally high, as they are well-known in the cybersecurity community and have a history of accurate reporting on similar issues. However, the potential for bias exists in how the severity of the vulnerability is portrayed, particularly in the context of Google's rapid response and the relatively modest bounty awarded.

Conclusion

The claim that "Brutecat found that Google's account recovery forms worked without JavaScript, which contributed to the vulnerability" is True. The evidence presented by Brutecat, along with corroborating reports from multiple reputable sources, confirms that the account recovery forms indeed functioned without JavaScript, which was a significant factor in the identified vulnerability. Google's acknowledgment and subsequent patching of the issue further validate the seriousness of the findings.

Sources

  1. Bruteforcing the phone number of any Google user
  2. Google brute-force attack exposes phone numbers in ...
  3. Google bug allowed phone number of almost any user to ...
  4. Google Bug Allowed Brute-Forcing of Any User Phone ...
  5. Researcher Found Flaw to Discover Phone Numbers ...
  6. Google patched bug leaking phone numbers tied to accounts
  7. Google fixes bug that could reveal users' private phone ...
  8. This Google account vulnerability could have revealed ...

Have a claim you want to verify? It's 100% Free!

Our AI-powered fact-checker analyzes claims against thousands of reliable sources and provides evidence-based verdicts in seconds. Completely free with no registration required.

💡 Try:
"Coffee helps you live longer"
100% Free
No Registration
Instant Results

Comments

Comments

Leave a comment

Loading comments...

More Fact Checks to Explore

Discover similar claims and stay informed with these related fact-checks

Fact Check: Brutecat was able to exploit Google's account recovery process to obtain phone numbers tied to user accounts by using a brute-forcing tool called gpb.
True
🎯 Similar

Fact Check: Brutecat was able to exploit Google's account recovery process to obtain phone numbers tied to user accounts by using a brute-forcing tool called gpb.

Detailed fact-check analysis of: Brutecat was able to exploit Google's account recovery process to obtain phone numbers tied to user accounts by using a brute-forcing tool called gpb.

Jun 14, 2025
Read more →
Fact Check: A white-hat hacker known as Brutecat discovered a flaw in Google's authentication systems that allowed brute-force attacks to expose the phone numbers of Google users in October 2023.
True
🎯 Similar

Fact Check: A white-hat hacker known as Brutecat discovered a flaw in Google's authentication systems that allowed brute-force attacks to expose the phone numbers of Google users in October 2023.

Detailed fact-check analysis of: A white-hat hacker known as Brutecat discovered a flaw in Google's authentication systems that allowed brute-force attacks to expose the phone numbers of Google users in October 2023.

Jun 14, 2025
Read more →
Fact Check: Google stated that the issue discovered by Brutecat has been fixed and emphasized the importance of working with the security research community.
Needs Research
🎯 Similar

Fact Check: Google stated that the issue discovered by Brutecat has been fixed and emphasized the importance of working with the security research community.

Detailed fact-check analysis of: Google stated that the issue discovered by Brutecat has been fixed and emphasized the importance of working with the security research community.

Jun 14, 2025
Read more →
Fact Check: Google awarded Brutecat $5,000 under its bug bounty program for discovering the security flaw.
Partially True

Fact Check: Google awarded Brutecat $5,000 under its bug bounty program for discovering the security flaw.

Detailed fact-check analysis of: Google awarded Brutecat $5,000 under its bug bounty program for discovering the security flaw.

Jun 14, 2025
Read more →
Fact Check: A recent study found that endorsement of hegemonic masculinity was the strongest predictor of support for Donald Trump in the 2016 and 2020 elections.
True

Fact Check: A recent study found that endorsement of hegemonic masculinity was the strongest predictor of support for Donald Trump in the 2016 and 2020 elections.

Detailed fact-check analysis of: A recent study found that endorsement of hegemonic masculinity was the strongest predictor of support for Donald Trump in the 2016 and 2020 elections.

Jun 15, 2025
Read more →
Fact Check: Michael Jones, 39, was found guilty of burglary in March 2024 for his involvement in the £4.8 million gold toilet heist at Blenheim Palace.
True

Fact Check: Michael Jones, 39, was found guilty of burglary in March 2024 for his involvement in the £4.8 million gold toilet heist at Blenheim Palace.

Detailed fact-check analysis of: Michael Jones, 39, was found guilty of burglary in March 2024 for his involvement in the £4.8 million gold toilet heist at Blenheim Palace.

Jun 15, 2025
Read more →
Explore All Fact Checks