Unmasking Anonymity: How One Researcher Hacked Google’s Recovery System in Seconds

Imagine if someone could guess your phone number and link it directly to your Google account in just 5 seconds. Sound like a spy thriller? Well, it almost happened. Thanks to a razor-sharp researcher in Singapore known as “brutecat,” a subtle but dangerous security flaw in Google’s account recovery system was uncovered, one that could have blown the lid off millions of users’ private phone numbers. This wasn’t just a bug. It was a potential privacy crisis hiding in plain sight.

The Flaw That Slipped Through the Cracks

Google, known for its ironclad security, had a vulnerability buried deep in a now-deprecated, JavaScript-disabled version of their username recovery page (`accounts.google.com/signin/usernamerecovery`). The goal of the page was simple, help users find their account using their phone or email. But the execution had a problem: it didn’t have proper protections to stop someone from rapidly guessing phone numbers.

This meant that a hacker could theoretically brute-force all possible phone number combinations against the recovery form. And once they guessed right, it would confirm the association, a privacy leak of epic proportions.

The Genius Behind the Exploit

The researcher, brutecat, chained together multiple loopholes like a puzzle:

1. Display Name Leak: First, he sent a Looker Studio document to the target. Just by doing that, the victim’s full display name appeared on the dashboard.

2. Forgot Password Trick: Next, by triggering Google’s “Forgot Password” flow, he got a masked phone number tied to the account (e.g., `•• ••••••03`).

3. Brute-Force the Final Digits: Then, using the vulnerable recovery page, he rapidly tried every possible phone number ending in ‘03’ until he hit gold.

How fast was this?

A Singaporean number could be revealed in 5 seconds.

A U.S. number took just about 20 minutes.

That’s shockingly fast for a brute-force attack and that’s what made it so dangerous.

Why It’s a Big Deal

Now here’s where it gets thrilling and chilling: once an attacker links your Google account to a real phone number, they could initiate a SIM-swap attack. This involves tricking your phone provider into transferring your number to their device. Once they do that, they could reset your Google password, get into your Gmail, and own every app or service tied to your number from banking to social media.

This vulnerability wasn’t just about numbers. It was about identity takeover.

Brutecat Strikes Again

This isn’t the first time brutecat has uncovered high-stakes flaws:

In an earlier $10,000 exploit, he used the YouTube API to leak any channel owner's email address.

In a $20,000 discovery, he found a way to de-anonymize YouTubers via the `/get_creator_channels` endpoint, exposing monetization data and emails of creators in the YouTube Partner Program.

These weren't bugs. They were digital x-rays into platforms we trust blindly.

Google Responds

To their credit, Google responded quickly:

They awarded $5,000 to brutecat for this flaw.

On June 6, 2025, they disabled the vulnerable recovery page entirely.

They also patched the YouTube-related issues and issued statements acknowledging the severity.

Still, this whole saga shows how even tech giants can miss critical privacy cracks, until someone shines a flashlight on them.

Unique Perspective: Privacy Isn't Binary

This case shows us something fundamental: privacy isn’t an on/off switch. It’s a scale. Google didn’t “leak” your number outright but it made it possible for someone smart enough to figure it out. That kind of gray-zone privacy breach is what makes today’s cybersecurity landscape so difficult to defend.

And it’s not just Google. Every form, every API, every obscure fallback version of a page could be an attack vector waiting to happen.

Watch What You Link

What should users take away from this?

Limit how many services use your real phone number.

Avoid using your main number for public or semi-public accounts.

Push platforms to reduce over-reliance on SMS and recovery phone numbers.

Thanks to researchers like brutecat, the web is a bit safer but it’s a constant war of discovery, and users need to stay informed, vigilant, and curious.