by Pieter Arntz at Malwarebytes Labs
Google has fixed vulnerabilities that made it possible to retrieve the phone numbers of almost any Google user. The flaw was found in the flow that allows users to recover their Google account using a phone number.
A cybersecurity researcher called Brutecat was able to figure out the phone number linked to any Google account, information that is usually not public and is considered sensitive.
Brutecat found that the page where users can recover their Google account if they have forgotten their login details lacked BotGuard protection. BotGuard is a cloud-based cybersecurity solution designed to protect websites and web applications from malicious bots, automated attacks, crawlers, and scrapers.
However, BotGuard does not work on websites that do not use Javascript. This is because many of its advanced detection techniques rely on executing Javascript in the visitor’s browser to gather client-side data. If a website does not serve Javascript, or if a user or bot disables Javascript, BotGuard cannot collect the necessary information for fingerprinting or behavioral analysis.
Brutecat also had to use rotating IP addresses and a trick to bypass the occasional…
Continue Reading