Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The author was browsing through Google one day when they decided to turn off JavaScript. To their surprise, the account recovery page still worked, since it was just a form.

The username recovery form allows to check if a recovery email or phone number is associated with a specific display name. The authors initial question is whether or not this can be brute forced. There is a Captcha after a while which prevents the attack. How does this Captcha work?

The JS form contains a bot guard token. When making the request from the form, this is set to disabled though. When the botguard token is used on the No-JS form, there is no rate limiting! By doing this, they were able to brute force phone numbers associated with accounts.

There are two limitations though: the country code must be known and it requires a known display name. The first one can be determined based upon the phone mask in many cases. For the second one, it's a tad more tricky.

In 2023, Google changed their policy to only show display names if you have a direct interaction with the user. By 2024, almost all services were removing this. After some effort, they found that Looker Studio transfer ownership functionality still leaked this!

Overall, great find on the bug to steal phone numbers! Privacy is hard to get correct and this is a good example of that. I enjoyed the usage of IPv6 and mixing of flows for the bypass.