Analysis

Alphabet Inc.'s Google (GOOGL) has successfully addressed a security vulnerability within its account recovery framework that could have allowed attackers to brute-force a user's recovery phone number. The flaw, identified by security researcher 'brutecat,' resided in a deprecated, non-JavaScript version of Google's username recovery form which lacked sufficient anti-abuse protections like CAPTCHA-based rate limiting. Exploitation involved a multi-step process: leaking the Google account display name (e.g., via Looker Studio), obtaining a masked phone number with the last two digits from the 'Forgot Password' flow, and then brute-forcing the remaining digits against the vulnerable recovery endpoint. This technique could reportedly reveal a Singapore-based number in approximately 5 seconds and a U.S. number in about 20 minutes, creating a pathway for SIM-swapping attacks and subsequent account takeovers. Google remediated this specific issue by completely removing the non-JavaScript username recovery form as of June 6, 2025, following responsible disclosure on April 14, 2025, and awarded the researcher a $5,000 bug bounty. This incident, while now resolved, is part of a series of vulnerabilities discovered by the same researcher, including two prior YouTube API exploits (resulting in $10,000 and $20,000 bounties) that could expose email addresses of channel owners and YouTube Partner Program members. The market's reaction to this latest disclosure appears muted, with a neutral overall sentiment score (0.1), a low market impact score (0.2), and a slightly negative sentiment for GOOGL (-0.1), suggesting it's viewed as an operational cybersecurity event rather than a significant material risk. The pattern of discoveries, however, underscores the persistent cybersecurity challenges faced by large technology platforms and the utility of bug bounty programs.