Researcher Found Flaw to Discover Phone Numbers Linked to Any Google Account

A security flaw in Google’s account recovery feature allowed attackers to brute-force phone numbers linked to Google accounts. The vulnerability, discovered by a Singaporean researcher, was addressed by Google, who removed the non-JavaScript username recovery form. The researcher received a $5,000 bug bounty for the responsible disclosure.