Bruteforcing the phone number of any Google user

It's easier to reuse existing code and simply bump the number of digits required to store the IP address.

It is already pretty common to start with IP blocking but upgrade to blocks when the bad behavior continues.

Assuming a /64 as a starting point is an easy win and bumping it up with repeat offenders seems pretty easy in the grand scheme of things.

It actually makes things a easier for both blocking and allocating (e.g. VPS hoster) side.

Once the "oh no, we can't afford that many unique allocations" excuse is away, algorithms that enforce quotas for every prefix size at the same time (with no excuses for CGNAT weirdness) stop being too ruthless.

You can distribute your addresses as needed, and I can track successful and failing attempts - at whatever distribution scheme you use. E.g. group your "unverified" or "trial" accounts at a larger prefix size, so they get each other blocked - but not your paying customers.

How are you getting a /56 from Comcast? I can only request up to a /60 from them, any larger and I get a /60 rather than whatever I requested.

Well yes, natting is not normal on ipv6 - that’s a major feature.

Direct connections are a good thing and how the Internet is supposed to work. NAT is the only reason IPv4 has lasted this long.

Blocking inbound connections using connection tracking is orthogonal to NAT. It's just that NAT implies the former by default due to its nature.

A bit more context: BuyVM is a legitimate business, popular with hobbyists, and has features that are hard to get elsewhere (e.g., BGP sessions). They do take a pro-free speech stance but they are a far cry from bulletproof hosting ("shady operators"). An imperfect comparison at a massively bigger scale would be Cloudflare's prominence in certain contexts.

Say what? IPv6 was designed that first 64 bits are network, last 64 bit are host.

Since /64 is smallest network in IPv6 and because of that most providers hand out /64 when you ask for IPv6 public address because A) Most Rate Limiting uses /64 and B) IPv6 has so many IPs, no one cares.

Vultr has at least one /32 I was able to find (2001:19F0::/32) which if you cut that into /64 comes out ~4.2 Billion different networks or same amount of IPv4 address that exist.

ARIN will hand anyone who asks a /48 IPv6 subnet which 65,536 unique networks and getting larger prefix is not hard.

Can you elaborate? As one tool among many it seems to me to be a perfectly serviceable tool in the toolbox, with a sufficiently high rate limit to account for shared IPs.

Yeah, $5k seems awfully cheap considering the effort entailed and the potential impact of this big.

The main cost of running a bug bounty program is developer time spent triaging submissions from all the people who just run an automated scanner against your website and submit everything it outputs.

Depends on the company. Also It can be a good way to say to management, "look, this old deprecated shit needs to be replaced because it's insecure; maintenance is a security issue"

While your argument seems to make sense on the surface, it fails in deeper inspection.

What security implications did Google Reader have? I do understand keeping older APIs and endpoints for authentication and authorization are indeed dangerous. However, if your architecture causes the mere clients of those authorization infra to be exploited, I think the problem isn't keeping the products running. You designed something inherently insecure.

There still is a standard password recovery flow with mail/capability URL that is reasonably safe and hasn't changed too much in a decade.

It is the bullshit some security advisories brought us that introduced new dangers. By sharing telephone numbers for example...

These threats are also worse than losing an account in many cases, because now the data can easily be correlated, which has proliferated through a lot of 2FA bullshit.

I thought it was gone but I’m reading it was just hidden but re-added to the UI in 2024. That was always my favorite feature haha.

On the other hand they had no idea if the information was valid or wildly outdated. But better something than nothing I guess. :-)

Something that can be hard to appreciate if you haven't managed this sort of project is that it can be surprisingly hard to throw money at the problem.

If you try to hire at your regular "bar" for skill for boring work like this - people will often quit. This is one of the reasons many company's integrations are lacking despite it being a strategic interest - integration work is miserable and doesn't help your career.

Hiring below the skillbar at the same pay, is dangerous and often doesn't actually work out - if it was that easy someone more skilled probably would have fixed this a while ago.

So you try to pay more for the miserable work - but hold on, now you have to pay out of band salaries, and legal tells you that opens you to massive liabilities.

Ok - maybe you can just level them differently? No, HR will tell you that will mess with all your internal level processes - which are key to running the company. They're going to add a lot of additional overhead tracking these "fake" leveling bands and dealing with the consequences.

None of this means the problem is literally unsolvable, but it now requires a huge amount of time and effort from people near the top of the company who everyone would much rather spend their time on making the company better.

All of this to say - sure you could solve this problem, but it's actually much more complex than adding some line items to a budget.

Source: have watched many big companies try and fail for years to staff unsexy work like this.

In addition to having the money, Google also needs the incentive to spend that money on such projects. If the perceived return on capital is low (or negative!), the incentive is simply not there.

Google's main search page is the slowest page & UI I have found on the internet today (not accounting for bandwidth limits). Even on modern devices it lags at text entry and even rearranges characters in the text box so you have to wait 10+ seconds for it to finish loading or it will go haywire. The shopping and other pages are actually worse. So it appears you're right, $350B isn't enough money to maintain a web page in 2025.

I was recently editing the Wikipedia page for Google Bookmarks (2005-2021). I wanted to add a logo to the page, but I was having a lot of trouble finding a high-quality copy of the logo anywhere. Eventually I figured out that Google's old URL scheme for product logos was very guessable, and they had never taken it down: https://www.google.com/intl/en-US/images/logos/bookmarks_log...

They'll probably never stop serving those old URLs because who KNOWS where they might still be in use. One of surely a million examples of weird little legacy things Google is stuck with.

I tried to guess what it might be ... I went to check moon.google.com, one of the older apps/jokes that I can recall still running. It seems that they got someone to update moon.google.com with a more recent look and feel, and dozens of moons instead of just the one.

And people say Google abandons products.

g has been demanding a valid phone for years, as have most other major providers. if you lose the number you sign up with, you can potentially get locked out of the account. whats your mo?

What do you use instead of a real phone number? How do you get past mandatory phone number verification for services which require it?

not so long ago practically everyone's name and phone number was available publicly for free in any phone box

If you have used Twitter or Facebook long enough while keeping the account, public your information is.

Here's the one I'm thinking of (time flies, doesn't it?)

https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking...

> Those security lapses are my fault, and I deeply, deeply regret them.

> But what happened to me exposes vital security flaws in several customer service systems, most notably Apple's and Amazon’s. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information – a partial credit card number – that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.

There used to be deep web services that provided a lot of this stuff for free back in the early 2000s or so. I think everything like that is behind at least some level of paywall now but it's not hard to get a fairly complete dossier on someone given a bit of background information and a pretty small expenditure.

Get personal info, then call carrier for a SIM swap, access crypto from there. Bonus: no KYC, since it's the other person's identity + you can login from 4G internet, so a trusted IP range.

If the bug bounty program doesn’t pay out much, there will be plenty of less reputable actors happy to pay more

Who's talking about participation? We can be appalled by their business practices as their customers (actual or potential). These are the same companies that tell us that our privacy and security is their #1 concern, and use that justification to take away our rights "for our own good", but when there's a real threat they address it with with a business-casual equivalent of "fuck off".

This is why there need to be strong fines associated with such security issues. That would provide financial viability enough.

Even if the issue wasn't abused, it looks like data already leaked.

You really trust that not a single friend of yours has ever clicked the "share contacts" button after downloading Facebook/Instagram/Snapchat/LinkedIn/TikTok...? You trust that your auto dealer or bank has not shared your details with Experian (even though you signed a piece of paper explicitly authorizing that)? You trust that your mobile operator itself isn't sharing your contact data with advertisers (go back and read your carrier agreement)? You trust that your grocery store's membership system has fool-proof IT security? Look up "recent data breaches" on Google and see how many of those companies/hospitals/government agencies you had a relationship with. I can guarantee that despite your best efforts and "trust" your phone number is accessible in a few clicks to anyone who cares to look.

It helps somewhat, but unless you give a unique number to every single friend, business, bank, store, your real number will find its way into data breaches sooner or later. Heck AT&T and T-Mobile have themselves had large scale hacks in the last few years.

Back when phone books were a thing, you couldn't take over a phone number from the other side of the country in the middle of the night and use it to transfer funds to a foreign bank account before you even wake up.

Social security numbers were also never supposed to be secret but as their use changed over the years, so did the way people treat them.

Yes, phone numbers are leaked everywhere. So are social security numbers and home addresses. That doesn't mean your website should be leaking that information.

Do I give it out? Not so much.

Do I expect it to be private? No.

You can for a small fee on some websites get my number.

Heck if you find a phone book from ~2000 where I use to live then you could just look it up in the phone book. Number portability saw to that.

Considering the number of data breaches and past history of phone numbers. To expect any sort of privacy is 'nice to have' but not going to happen. At this point it is basically security thru obscurity to expect it to be private.

Even when they had 'unlisted' numbers you could buy a book from the phone company that had it in there anyway. They even had reverse phone books you could buy. I even remember CD's from ~1998 that had the whole country. You didn't even need to keep the books.

Things have changed in the last decades. With all the unsolicited calls (and especially scams) one would prefer to keep their phone number as private as possible. Doesn't mean that delivery can't get it, just that it shouldn't be on the net.

Fair point

Lookerstudio was formerly google data studio, which was homegrown at google!

Indeed, I think if our government weren't absurdly corrupt and incompetent that breach should have triggered two things:

1. Announce a timeline to publish SSNs publicly for all people (forcing function for businesses who might drag their feet)

2. Before #1 comes to pass, issuance of actual credentials to replace SSNs for multiple purposes, credentials that

   A. can be validated in an online process

   B. you can get multiple credentials that all tie back to a secure identity for credit reporting purposes, and you can be notified when new credentials are generated

   C. and (*crucially*) can be invalidated for future use when compromised

#2 is not easy! It would be a massive project. But it's hard to argue that keeping the absurd "secret 9 digit number" joke going isn't even less viable than taking that project on would be.