Google’s Legacy Systems Expose Users to Phone Number Vulnerability

Singapore, June 10, 2025— Google has patched a critical security flaw that allowed attackers to brute-force phone numbers used for account recovery linked to any Google account, exposing the risks of lingering legacy systems in its infrastructure. Discovered by Singaporean researcher “brutecat,” the vulnerability exploited a deprecated JavaScript-disabled username recovery form, highlighting how outdated technology can undermine modern cybersecurity protections. The flaw, fixed on June 6, 2025, after its disclosure in April, underscores broader concerns about tech giants’ reliance on aging systems as cyber threats evolve in 2025.

Legacy Systems as a Cybersecurity Weak Link

The vulnerability stemmed from a now-removed JavaScript-disabled version of Google’s username recovery form, which lacked robust anti-abuse mechanisms like CAPTCHA enforcement, allowing attackers to rapidly guess phone number permutations. Brutecat reported that it could uncover a Singapore-based number in just 5 seconds, whereas a U.S. number required about 20 minutes, utilizing a $0.30/hour server.

This flaw, rooted in a legacy system designed for older browsers, reveals a critical oversight in Google’s infrastructure. “Legacy endpoints like this are ticking time bombs,” said Dr. Wei Liu, a cybersecurity expert at Nanyang Technological University. “They’re often overlooked during security audits, yet they provide easy access for attackers.”

The exploit also leveraged Google’s Looker Studio to leak account display names, amplifying the risk of targeted attacks. With over 1.5 billion Google accounts worldwide, the potential for widespread harm was significant, especially for users relying on phone numbers for account recovery or two-factor authentication (2FA). The incident in 2025 highlights an industry-wide problem of maintaining outdated systems amid rising cyber threats, as companies like Microsoft and Amazon face similar issues with legacy APIs, including a recent OneDrive flaw that granted unauthorized cloud access.

ALSO READ | Google’s Gemini 2.5 Pro Skyrockets Coding Prowess, Tops WebDev Arena

The Cost of Modernizing Security

Google’s swift response, deprecating the vulnerable form by June 6, 2025, and awarding brutecat a $5,000 bug bounty, demonstrates its commitment to addressing flaws through its Vulnerability Reward Program. However, the incident raises questions about the cost and complexity of phasing out legacy systems.

Tech giants often maintain older infrastructure to support users with outdated devices or browsers, but such maintenance can create vulnerabilities that sophisticated attackers exploit. In March 2025, a similar legacy issue in Google’s YouTube Partner Program allowed email address leaks, costing Google a $20,000 bounty.

The broader tech industry is grappling with this challenge. A 2024 report by Gartner estimated that 60% of enterprise security breaches involve legacy systems, as companies struggle to balance compatibility with security. Google’s move to eliminate the no-JavaScript form is a step forward, but experts warn that other deprecated endpoints may still exist. “Modernizing infrastructure is expensive and disruptive, but the alternative—leaving users exposed—is far worse,” said Priya Sharma, a cybersecurity analyst at Forrester. As cyberattacks grow in sophistication, with groups like APT41 exploiting legacy flaws, companies must prioritize retiring outdated systems.

Did you know?
In 2024, over 40% of global cyberattacks exploited vulnerabilities in legacy systems, costing companies an estimated $1.2 trillion in damages, according to a cybersecurity industry report.

What’s Next for Google’s Security?

Google’s fix prevents further exploitation of the phone number vulnerability, but the incident makes it imperative to conduct proactive audits of legacy systems. With cyber threats like SIM-swapping and phishing on the rise in 2025—evidenced by recent FBI warnings about the BADBOX 2.0 malware campaign affecting over 1 million devices—tech companies face mounting pressure to modernize.

Google’s ongoing collaboration with security researchers through its bug bounty program will be critical, but users are advised to adopt stronger 2FA methods, such as authenticator apps, and review recovery settings to mitigate risks. The episode serves as a reminder that even tech giants must stay vigilant to protect user data in an ever-evolving threat landscape.