TF
TruthOrFake
Fact Check: Brutecat found that Google's account recovery forms worked without JavaScript, which contributed to the vulnerability.

Fact Check: Brutecat found that Google's account recovery forms worked without JavaScript, which contributed to the vulnerability.

Published June 14, 2025
ByFactChecker 1.1 avatarFactChecker 1.1
VERDICT
True

# Fact Check: "Brutecat found that Google's account recovery forms worked without JavaScript, which contributed to the vulnerability." ## What We Kno...

Fact Check: "Brutecat found that Google's account recovery forms worked without JavaScript, which contributed to the vulnerability."

What We Know

The claim centers around a vulnerability discovered by a security researcher known as Brutecat, who reported that Google's account recovery forms could function without JavaScript enabled. This finding was surprising because, historically, these forms relied on JavaScript for anti-abuse measures, particularly through a system called BotGuard, which used obfuscated JavaScript code to prevent automated attacks (Bruteforcing the phone number of any Google user).

Brutecat detailed a process where the username recovery form allowed users to check if a recovery email or phone number was associated with a specific display name using just two HTTP requests, even when JavaScript was disabled. This capability was exploited to potentially uncover users' phone numbers through brute-force methods (Google brute-force attack exposes phone numbers in ...).

Analysis

The evidence provided by Brutecat is credible, as it is supported by detailed technical descriptions of the vulnerability and the methods used to exploit it. The researcher explicitly noted that the account recovery forms worked without JavaScript, which was unexpected given the reliance on JavaScript for security in previous iterations of the service (Bruteforcing the phone number of any Google user).

Multiple reputable sources corroborate the existence of this vulnerability. For instance, reports from Malwarebytes and Dark Reading confirm that the flaw allowed attackers to brute-force phone numbers tied to Google accounts, emphasizing the implications for user privacy and security.

However, it is important to consider the context of the reporting. While Brutecat's findings were significant, Google responded by patching the vulnerability quickly and awarding the researcher $5,000 as part of their bug bounty program, indicating that they took the issue seriously (Google fixes bug that could reveal users' private phone ...).

The reliability of the sources reporting on this incident is generally high, as they are well-known in the cybersecurity community and have a history of accurate reporting on similar issues. However, the potential for bias exists in how the severity of the vulnerability is portrayed, particularly in the context of Google's rapid response and the relatively modest bounty awarded.

Conclusion

The claim that "Brutecat found that Google's account recovery forms worked without JavaScript, which contributed to the vulnerability" is True. The evidence presented by Brutecat, along with corroborating reports from multiple reputable sources, confirms that the account recovery forms indeed functioned without JavaScript, which was a significant factor in the identified vulnerability. Google's acknowledgment and subsequent patching of the issue further validate the seriousness of the findings.

Sources

  1. Bruteforcing the phone number of any Google user
  2. Google brute-force attack exposes phone numbers in ...
  3. Google bug allowed phone number of almost any user to ...
  4. Google Bug Allowed Brute-Forcing of Any User Phone ...
  5. Researcher Found Flaw to Discover Phone Numbers ...
  6. Google patched bug leaking phone numbers tied to accounts
  7. Google fixes bug that could reveal users' private phone ...
  8. This Google account vulnerability could have revealed ...

Have a claim you want to verify? It's 100% Free!

Our AI-powered fact-checker analyzes claims against thousands of reliable sources and provides evidence-based verdicts in seconds. Completely free with no registration required.

💡 Try:
"Coffee helps you live longer"
100% Free
No Registration
Instant Results

Comments

Leave a comment

Loading comments...

More Fact Checks to Explore

Discover similar claims and stay informed with these related fact-checks

Fact Check: Brutecat was able to exploit Google's account recovery process to obtain phone numbers tied to user accounts by using a brute-forcing tool called gpb.
True
🎯 Similar

Fact Check: Brutecat was able to exploit Google's account recovery process to obtain phone numbers tied to user accounts by using a brute-forcing tool called gpb.

Detailed fact-check analysis of: Brutecat was able to exploit Google's account recovery process to obtain phone numbers tied to user accounts by using a brute-forcing tool called gpb.

Jun 14, 2025
Read more →
Fact Check: A white-hat hacker known as Brutecat discovered a flaw in Google's authentication systems that allowed brute-force attacks to expose the phone numbers of Google users in October 2023.
True
🎯 Similar

Fact Check: A white-hat hacker known as Brutecat discovered a flaw in Google's authentication systems that allowed brute-force attacks to expose the phone numbers of Google users in October 2023.

Detailed fact-check analysis of: A white-hat hacker known as Brutecat discovered a flaw in Google's authentication systems that allowed brute-force attacks to expose the phone numbers of Google users in October 2023.

Jun 14, 2025
Read more →
Fact Check: Transcript 00:00 911 was a false flag. For the first 10 years, I did not think anything other than the official narrative then after being shown a video, a close up video of building number seven coming down and that got me going because it's obvious to me that building seven was was a controlled demolition because the building collapses from the bottom down. The trade centers were unique in that they were designed to withstand the 00:33 impact of a a a jet. From what I understand the the outer skeleton of the building. The outer columns was like a a fish net and you had these inner core columns which was substantial thick steel beams to withstand four or five times what the loads were. Got it. The engineers always over design a building. No steel frame building has ever collapsed before or since 9/ eleven. So that should say something right there. And it said that building seven it was 01:05 aggressive collapse that it was caused by fire but progressive collapse unlike the twin towers, the twin towers collapse from the top down. That's a progressive collapse. Sure. Floor by floor by floor. But if you look at the videos of building seven collapsing, it collapses uniformly, it's collapsing from the bottom, the building stays intact all the way to the bottom of the ground and you could see the sides caving in on it. For a building to collapse uniformly which the video show all the load bearing it would have to have failed 01:36 simultaneously. Now, fire doesn't act like that. I came across an analogy of the twin towers and if you could visualize cast iron stoves stacked. One on top of each other. The stoves up at the top. Yes, there's fire and they've been damaged but the stoves on the bottom, they haven't been damaged. Okay. So, the structure underneath all of that is intact. So, it's impossible for a building to collapse near free fall speed and increase. Without a 02:07 controlled demolition. You're running into the path of most resistance. I something else is going on. I don't believe that it was just the planes or the fires I think that and they examine the dust and they found what they call thermitic material which is like a explosive incendiary which was in the dust samples and that's documented. There were reports of the buildings were undergoing a extensive elevator renovation in the two or three years prior to all kinds of 02:40 workers they had access to the the core the cores of the building and on the day of the attack the the elevator company would not assist in the operations of the elevators and the elevator company was the elevator company it subsequently went out of business and a couple of years after that
False
🎯 Similar

Fact Check: Transcript 00:00 911 was a false flag. For the first 10 years, I did not think anything other than the official narrative then after being shown a video, a close up video of building number seven coming down and that got me going because it's obvious to me that building seven was was a controlled demolition because the building collapses from the bottom down. The trade centers were unique in that they were designed to withstand the 00:33 impact of a a a jet. From what I understand the the outer skeleton of the building. The outer columns was like a a fish net and you had these inner core columns which was substantial thick steel beams to withstand four or five times what the loads were. Got it. The engineers always over design a building. No steel frame building has ever collapsed before or since 9/ eleven. So that should say something right there. And it said that building seven it was 01:05 aggressive collapse that it was caused by fire but progressive collapse unlike the twin towers, the twin towers collapse from the top down. That's a progressive collapse. Sure. Floor by floor by floor. But if you look at the videos of building seven collapsing, it collapses uniformly, it's collapsing from the bottom, the building stays intact all the way to the bottom of the ground and you could see the sides caving in on it. For a building to collapse uniformly which the video show all the load bearing it would have to have failed 01:36 simultaneously. Now, fire doesn't act like that. I came across an analogy of the twin towers and if you could visualize cast iron stoves stacked. One on top of each other. The stoves up at the top. Yes, there's fire and they've been damaged but the stoves on the bottom, they haven't been damaged. Okay. So, the structure underneath all of that is intact. So, it's impossible for a building to collapse near free fall speed and increase. Without a 02:07 controlled demolition. You're running into the path of most resistance. I something else is going on. I don't believe that it was just the planes or the fires I think that and they examine the dust and they found what they call thermitic material which is like a explosive incendiary which was in the dust samples and that's documented. There were reports of the buildings were undergoing a extensive elevator renovation in the two or three years prior to all kinds of 02:40 workers they had access to the the core the cores of the building and on the day of the attack the the elevator company would not assist in the operations of the elevators and the elevator company was the elevator company it subsequently went out of business and a couple of years after that

Detailed fact-check analysis of: Transcript 00:00 911 was a false flag. For the first 10 years, I did not think anything other than the official narrative then after being shown a video, a close up video of building number seven coming down and that got me going because it's obvious to me that building seven was was a controlled demolition because the building collapses from the bottom down. The trade centers were unique in that they were designed to withstand the 00:33 impact of a a a jet. From what I understand the the outer skeleton of the building. The outer columns was like a a fish net and you had these inner core columns which was substantial thick steel beams to withstand four or five times what the loads were. Got it. The engineers always over design a building. No steel frame building has ever collapsed before or since 9/ eleven. So that should say something right there. And it said that building seven it was 01:05 aggressive collapse that it was caused by fire but progressive collapse unlike the twin towers, the twin towers collapse from the top down. That's a progressive collapse. Sure. Floor by floor by floor. But if you look at the videos of building seven collapsing, it collapses uniformly, it's collapsing from the bottom, the building stays intact all the way to the bottom of the ground and you could see the sides caving in on it. For a building to collapse uniformly which the video show all the load bearing it would have to have failed 01:36 simultaneously. Now, fire doesn't act like that. I came across an analogy of the twin towers and if you could visualize cast iron stoves stacked. One on top of each other. The stoves up at the top. Yes, there's fire and they've been damaged but the stoves on the bottom, they haven't been damaged. Okay. So, the structure underneath all of that is intact. So, it's impossible for a building to collapse near free fall speed and increase. Without a 02:07 controlled demolition. You're running into the path of most resistance. I something else is going on. I don't believe that it was just the planes or the fires I think that and they examine the dust and they found what they call thermitic material which is like a explosive incendiary which was in the dust samples and that's documented. There were reports of the buildings were undergoing a extensive elevator renovation in the two or three years prior to all kinds of 02:40 workers they had access to the the core the cores of the building and on the day of the attack the the elevator company would not assist in the operations of the elevators and the elevator company was the elevator company it subsequently went out of business and a couple of years after that

Jul 28, 2025
Read more →
Fact Check: Shannon Williams was found unconscious after being unknowingly laced with fentanyl—a deadly, unpredictable substance often added without the user’s knowledge. Instead of receiving medical support and care, Shannon is now facing public defamation and legal persecution.
Unverified

Fact Check: Shannon Williams was found unconscious after being unknowingly laced with fentanyl—a deadly, unpredictable substance often added without the user’s knowledge. Instead of receiving medical support and care, Shannon is now facing public defamation and legal persecution.

Detailed fact-check analysis of: Shannon Williams was found unconscious after being unknowingly laced with fentanyl—a deadly, unpredictable substance often added without the user’s knowledge. Instead of receiving medical support and care, Shannon is now facing public defamation and legal persecution.

Jul 26, 2025
Read more →
Fact Check: Google stated that the issue discovered by Brutecat has been fixed and emphasized the importance of working with the security research community.
Needs Research

Fact Check: Google stated that the issue discovered by Brutecat has been fixed and emphasized the importance of working with the security research community.

Detailed fact-check analysis of: Google stated that the issue discovered by Brutecat has been fixed and emphasized the importance of working with the security research community.

Jun 14, 2025
Read more →
Fact Check: Google awarded Brutecat $5,000 under its bug bounty program for discovering the security flaw.
Partially True

Fact Check: Google awarded Brutecat $5,000 under its bug bounty program for discovering the security flaw.

Detailed fact-check analysis of: Google awarded Brutecat $5,000 under its bug bounty program for discovering the security flaw.

Jun 14, 2025
Read more →
Explore All Fact Checks
Fact Check: Brutecat found that Google's account recovery forms worked without JavaScript, which contributed to the vulnerability. | TruthOrFake Blog