Malware hackers have recently exploited vulnerabilities in Google’s login system, particularly in the OAuth authentication framework. A newly disclosed weakness in this system allows attackers to take advantage of domain ownership changes. This tactic potentially provides unauthorized access to the accounts of former employees across various services, including Slack.
In addition, legacy systems, such as Google’s JavaScript-disabled username recovery form, present additional flaws that can result in significant security breaches. One method utilized by cybercriminals involves bypassing rate limiting protections using multiple IPv6 addresses. By obtaining BotGuard tokens from Google’s forms, attackers effectively evade existing security measures. Users may notice suspicious data usage spikes when their accounts are compromised. The implications are severe, as these vulnerabilities can jeopardize user data, allowing malware to bypass traditional antivirus detection systems. This was demonstrated by how attackers employed a custom tool to exploit the legacy recovery form that allowed for the brute-forcing of phone numbers.
To support attacks, some hackers have crafted custom tools, such as “gpb,” designed for executing brute-force assaults on Google’s phone number verification process. This technique allows unauthorized individuals to guess phone numbers through Google’s forgotten password recovery system. Since domain ownership changes are exploited, malicious actors can create new accounts that closely mimic old ones, further compounding the issue.
The impact on users is considerable. Privacy concerns emerge as personal phone numbers may be exposed through Google’s account recovery mechanisms, while unauthorized access from OAuth vulnerabilities poses significant risk to data security. The consequences may extend beyond individual users, potentially resulting in financial losses from malicious activity and reputational damage to organizations relying on Google’s authentication services.
Addressing these vulnerabilities requires a multi-faceted approach. Regular security updates and patches remain vital for defense, as many vulnerabilities were addressed in the latest Android version released in June 2025. Additional measures, including data wiping of closed accounts and the implementation of immutable identifiers in OAuth tokens, can improve overall security.
Strengthening rate limiting and employing continuous monitoring of network traffic are critical strategies for detecting unusual behavior and thwarting attacks. As cybersecurity threats evolve, vigilance and proactive measures are imperative to safeguard user information.
