In the increasingly articulated panorama of cybersiculia, where every single personal data can turn into a dangerous entry point for hacker attacks, Google found himself having to face and quickly resolve a vulnerability as insidious as underestimated; a bug that, taking advantage of a combination of official tools and account recovery mechanisms, could allow an attacker to trace the phone number associated with a Google profile in less than 20 minutes.

Follow Google Italia on Telegram, Receive news and offers first

Here’s how the hackers could trace the phone number associated with the Google account

Many users tend to underestimate the importance of the confidentiality of their telephone number, an information that is shared lightly between personal contacts, online services and apps of all kinds, but which today has become a cardinal element of our digital identity, especially in a context in which the verification in two steps (2fa) is increasingly widespread and often entrusted to an SMS.

It is precisely for this reason that Google, like other large technological companies, has always tried to maintain the users’ telephone number as reserved as possible; However, as often happens in the world of IT security, what is designed to protect can turn into a weapon in the hands of hackers, if badly implemented.

The researchers of Brutetat they found that It was possible to circumvent the protections offered by the Google account recovery systemusing a mix of intelligent techniques and a flaw on a page that did not use JavaScript to limit automated interaction (as is the case in most of the form of the Mountain View giant).

The process was based on a chain of vulnerability:

  • Google provides a clue on the last two digits of the telephone number associated with an account, useful in the recovery phase for a legitimate user
  • Studio looker, an analysis tool developed by Google itself, allowed to obtain a viewed name connected to the account
  • At this point using the international prefix, also easily deductible, a hacker could automate the insertion of the missing figures and, circumventing the speed limitations, reaching the correct number surprisingly quickly, even just 4 minutes in the most favorable cases

A technically sophisticated attack, but not so complex as to prevent a real execution by malevolent actors, especially in contexts, which the target is a specific account.

https://www.youtube.com/watch?v=am3Iplyz4SW

The vulnerability was reported in April 2025 and, after a careful analysis by the Google security team, it was definitively corrected at the end of May; The company publicly confirmed that the problem has been solved, by making a 5,000 dollars award As part of its Bug Bounty program.

In an official declaration, Google reiterated the importance of collaboration with the security community, underlining how reports of this type are fundamental to protect users in a proactive and timely way.

If on the one hand the flaw has been correct and the alarm returned, the crucial advice for all users remains, that is, to avoid (as far as possible) to rely exclusively on the phone number for two -factor authentication; Solutions such as Google Authenticator or other dedicated apps, security hardware token, or passkey authentication based on Fido2 standards, today represent much more robust alternatives.

In conclusion, this story proves once again how thin the border between comfort and online security, even a telephone number can turn into a weapon if it ends up in the wrong hands; And if it is true that users have to do their part by choosing more advanced authentication tools, it is equally true that it is up to technological companies such as Google to ensure that their tools never become a weak point of the digital ecosystem.