A cybersecurity researcher According to researchers, Google, and 404 media tests, the phone number linked to any Google account, which is usually not public and is often sensitive.
The matter has been settled since then, but at that time a privacy issue was presented in which relatively low -resource hackers could also force their way to personal information.
“I think this exploitation is very bad because it is primarily a gold mine for SIM sweepers,” the independent security researcher who found the matter, who goes through the handle by the Brituit, wrote in an email. Sim sweeps are hackers who handle a target phone number to achieve their calls and texts, which in turn can break all kinds of accounts.
In mid -April, we provided Brittics with one of our personal gmail addresses to test the threat. About six hours after the Six, Brutics responded with the correct and full phone number associated with this account.
“Basically, it is showing the numbers,” Briticat said. Brutter is forced when a hacker quickly strives for various combinations of digits or characters until they find it after. Usually this is in the context of finding someone’s password, but here the Brotak Google is doing something to determine the user’s phone number.
Bruttics said in an email that forcibly takes an hour for the US number, or 8 minutes for the UK. For other countries, it may take less than a minute, he said.
In a unilateral video demonstrating exploitation, Brotte explains that an attacker needs the target Google Display name. The video states that they are first found owned by a document from Google’s Lokar Studio Product to target. He says he modified the document name for millions of characters, the end of the target is not notified of the ownership switch. Using some custom code, which he describes in his writing in detail, Brettak then hinders Google with phone number estimates until it is removed.
Reads a title in the video, “The affected person has not been notified at all :)”
A Google spokesperson told 404 media in a statement: “This problem has been settled. We have always emphasized the importance of working with the security research community through our risky rewards program and we are trying to thank the researchers for their use of their own researchers for their solutions.”
Phone numbers are an important piece of information for SIM sweepers. This type of hackers have been linked to countless hackers of individual people to steal online usernames or cryptocurrency. But sophisticated SIM sweepers have also increased the targeting of large -scale companies. Some have worked directly with the Ranksware groups from Eastern Europe.
Equipped with a phone number, a SIM sweeper can then imitate the affected person and persuade his telecoms to recover text messages on a hacked control SIM card. From there, hacker can request text messages, or multi -factor verification codes, and log into hunting valuable accounts. It may include accounts that store cryptocurrency, or even more harmful, e -mail, which can provide access to many other accounts in return.
On its website, the FBI suggests that people should not publicize their phone number because of this. “Protect your personal and financial information. Do not advertise your phone numbers, addresses, or financial assets, including ownership or cryptocurrency investment, on social media sites.”
In his writing, Brewt Kate said that Google received him $ 5,000 and some SWAG for their search. Initially, Google marked the threat that is less likely to be exploited. According to the British writing, the company later upgraded the possibility in a medium.
