What a great article showcasing that even a multi-billion dollar organization can make mistakes. The author explored the Google Account recovery page and discovered a no-JavaScript page still existed and could be used to brute force find the phone number associated with an account. First the author would share a document to the target email address, which would reveal the account details (First and Last name), then the author would attempt an account recovery via phone number. Google would leak the region of the phone number since it masks the phone number in the same format produced by libphonenumbers. The attacker would then have a script run against the account recovery API with generated country specific phone numbers. https://brutecat.com/articles/leaking-google-phones