Digital Detective Work: How a JavaScript Experiment Exposed Google's Phone Number Leak Vulnerability

A cybersecurity researcher's curiosity about Google's functionality without JavaScript accidentally uncovered a critical vulnerability chain that could have allowed attackers to extract any user's phone number. The discovery, made public on Monday, demonstrates how seemingly innocuous features can be combined to create serious privacy risks.

The researcher, operating under the pseudonyms Brutecat and Skull from Singapore, initially set out to explore which Google services remained functional when JavaScript was disabled in web browsers. This experimental approach led to an unexpected finding that would ultimately earn him a $5,000 bug bounty from Google.

The Multi-Step Exploitation Process

The vulnerability discovery began when Brutecat noticed that Google's account recovery forms continued to operate even without JavaScript enabled. Through careful analysis, he determined that these forms could be manipulated using just two HTTP requests to verify whether specific recovery email addresses or phone numbers were linked to particular account display names.

The researcher's investigation revealed a more serious flaw: the ability to extract complete phone numbers through systematic brute-force attacks. By exploiting weaknesses in Google's rate limiting protections, he could bypass security measures using different IPv6 addresses for each request, combined with BotGuard tokens obtained from Google's own systems.

However, the exploitation process required an additional component—a method to obtain the display name associated with any given Gmail address. Brutecat solved this challenge by discovering an abuse vector within Google's Looker Studio platform, a business intelligence tool designed for creating data reports and dashboards.

The Looker Studio Connection

The key breakthrough came through manipulating Looker Studio's ownership transfer feature. By creating a document within the platform and transferring ownership to a target user's email address, the system would automatically display the victim's account name, providing the missing piece needed for the complete exploitation chain.

With all components in place, an attacker armed with only a target's email address could execute the following sequence:

1. Use Looker Studio to reveal the victim's display name
2. Leverage the password recovery system to obtain a partially masked phone number
3. Conduct a brute-force attack to determine the complete phone number

The efficiency of this attack proved remarkable during testing. According to Brutecat's experiments, extracting a US phone number required approximately 20 minutes, while UK numbers could be obtained in just 4 minutes. Phone numbers from the Netherlands and Singapore could be compromised in mere seconds, all achievable using a rented server costing only $0.30 per hour.

Privacy Implications and Attack Vectors

Phone numbers represent highly sensitive personal information frequently targeted in social engineering campaigns and various forms of cyberattacks. The ability to systematically extract this data from Google accounts could have enabled large-scale privacy violations and facilitated targeted harassment or fraud campaigns.

The researcher documented the entire exploitation process in a demonstration video, providing clear evidence of the vulnerability's practical application. This transparency helped Google understand the severity of the issue and implement appropriate countermeasures.

Google's Response and Remediation

Following responsible disclosure practices, Brutecat reported the vulnerability chain to Google in mid-April 2025. The technology company responded with security patches and mitigations deployed throughout May and early June, effectively closing the exploitation pathway.

Google recognized the significance of the discovery by awarding Brutecat a $5,000 bug bounty, acknowledging both the technical sophistication of the finding and its potential impact on user privacy. This reward reflects Google's commitment to incentivizing security research through its vulnerability rewards program.

Pattern of Security Research Success

This discovery represents the latest in a series of significant security findings by Brutecat. In March 2025, the researcher disclosed details of a YouTube vulnerability that exposed content creators' email addresses, earning a substantial $20,000 bug bounty from Google. This previous success demonstrates the researcher's consistent ability to identify complex vulnerability chains within Google's ecosystem.

The progression from a $20,000 YouTube email exposure vulnerability to a $5,000 phone number extraction flaw illustrates the varying severity levels and potential impacts of different security issues within large technology platforms.

Broader Security Implications

The discovery highlights several important cybersecurity principles. First, it demonstrates how seemingly unrelated features can be chained together to create significant security vulnerabilities. The combination of account recovery systems, rate limiting weaknesses, and business intelligence tools created an unexpected attack vector that might not have been apparent during individual component security assessments.

Second, the incident underscores the value of unconventional testing approaches. Brutecat's decision to explore Google's functionality without JavaScript—a seemingly academic exercise—led to a practical security discovery with real-world implications.

Finally, the case illustrates the importance of comprehensive security testing that considers not just individual features but also their interactions and potential for abuse when combined in unexpected ways.

Lessons for Platform Security

For technology companies, this incident serves as a reminder that security vulnerabilities can emerge from the intersection of legitimate features operating as designed. The exploitation didn't require breaking any individual system but rather leveraging the intended functionality of multiple services in an unintended manner.

The discovery also emphasizes the critical role of security researchers in identifying complex vulnerability chains that might escape traditional security testing methodologies. Brutecat's systematic approach to exploring Google's services from an unusual angle provided insights that conventional security assessments might have missed.

As technology platforms continue to expand their feature sets and integrate various services, the potential for similar cross-service vulnerabilities increases, making comprehensive security research and responsible disclosure practices essential for maintaining user privacy and platform integrity.