Cybersecurity researcher He was able to find out the telephone number linked to any Google account, information that is usually not public and often sensitive, according to the researcher, Google and 404 media tests.
Since then, the problem has been solved, but at that time it had a privacy problem where even pirates with relatively few resources could have forced their way to personal information in the peoples.
“I think this exploitation is quite bad, as it is basically a gold mine for SIM Swappers,” he wrote the independent security problem that found the problem, which goes through the Handle Grupecat. SIM SWAPPERS ARE PIREST Take care of a target telephone number To receive their calls and texts, which in turn can leave them into all types of accounts.
In mid -April, we provided a gmail address one of our personal addresses to test vulnerability. About six hours later, Brin responded with the correct and complete telephone number linked to this account.
“Essentially, the number is brutal,” Gruck said about his process. Forcing Brutte is when a computer pirate quickly tries different combinations of digits or characters until they find those who are later. It is usually in the context of finding someone’s password, but here Grupecat does something similar to determine a Google user’s phone number.
Mr. Mr. said that in an email the brute force takes about an hour for a US number, or 8 minutes for one from the United Kingdom. As they said, for other countries it may take less than a minute.
In a video that is accompanied by the exploitation, Grupecat explains that an attacker needs the name of the Google screen of the target. They first find this by transferring the property of a Google’s Looker Studio product document to the destination, according to the video. They say they modified the document name as millions of characters, which ends with the aim of not notifying the property switch. Using some personalized code, that they detailed in his writingFluse then is barred on Google with the ideas of the phone number until a success is achieved.
“The victim is not notified at all :)” a video subtitle is called.
A Google spokesman said in 404 media outlets in a statement, “This problem has been solved. We have always emphasized the importance of working with the security research community through our vulnerability rewards program, and we want to thank the researcher for marking this problem. The researcher’s communications are one of the many ways we can quickly find and solve problems for our users’ safety.”
Telephone numbers are key information for SIM Swappers. These types of hackers have been linked to countless pirates of individuals in order to do stealing online usernames or cryptocurrency. But sophisticated SIM Swappers have also increased to guide mass companies. Some have Worked directly with Ransomware bands of Eastern Europe.
Armed with the telephone number, a SIM exchange can supplant the victim and convince his telecommunications to reappear text messages to a SIM card than pirate controls. From there, the computer pirate can request the password reset password or authentication codes of various factors and sign in to the valuable accounts of the victim. This could include accounts that store Cryptocurrency, or even more harmful, their email, which in turn could grant access to many other accounts.
On its website, the FBI recommends that people do not publish their telephone number publicly for this reason. “Protect your personal and financial information. Do not publish your telephone number, address or financial assets, including property or investment of cryptocurrencies, in social media sites” The place is read.
In his writing, Mr. Brin said Google granted them $ 5,000 and some swag for their findings. Initially, Google marked vulnerability as a little possibility of exploitation. The company later updated this probability on average, according to the writing of Grupecat.
