Google accounts may be vulnerable to new hack, changing password won’t help
A new method allegedly enables hackers to exploit authorization protocol OAuth2 functionality to compromise Google accounts and maintain valid sessions by regenerating cookies despite IP or password reset.
According to security firm CloudSEK, a threat actor under the alias PRISMA boasted a potent zero-day exploit and developed a sophisticated solution to generate persistent Google cookies through token manipulation.
“This exploit enables continuous access to Google services, even after a user's password reset,” the report reads.
OAuth 2.0 stands for “Open Authorization 2.0” and is a widely used protocol for securing and authorizing access to resources on the internet. It makes verifying user identity easy by tapping into their social media accounts, such as Google or Facebook.
CloudSEK's threat research team identified the exploit's root at an undocumented Google Oauth endpoint named “MultiLogin.” This is an internal mechanism designed for synchronizing Google accounts across services, which ensures that browser account states align with Google’s authentication cookies.
The developer of the exploit “expressed openness to cooperation,” which accelerated the discovery of the endpoint responsible for regenerating the cookies.
The exploit, incorporated in a malware called Lumma Infostealer on November 14th, boasts two key features: session persistence and cookie generation. To exfiltrate the required secrets, tokens, and account IDs, the malware targets Chrome’s token_service table of WebData of logged-in Chrome profiles.
“The session remains valid even when the account password is changed, providing a unique advantage in bypassing typical security measures,” the report quotes PRISMA. “The capability to generate valid cookies in the event of a session disruption enhances the attacker's ability to maintain unauthorized access.”
Researchers noted a concerning trend of rapid exploit integration among various Infostealer groups. They think the exploitation of undocumented Google OAuth2 MultiLogin endpoint provides a textbook example of sophistication, as the approach hinges on a nuanced manipulation of the GAIA ID (Google Accounts and ID administration) token. Malware masks the mechanism of exploit using a layer of encryption.
“This exploitation technique demonstrates a higher level of sophistication and understanding of Google’s internal authentication mechanisms. By manipulating the token: GAIA ID pair, Lumma can continuously regenerate cookies for Google services. Even more alarming is the fact that this exploit remains effective even after users have reset their passwords. This persistence in access allows for prolonged and potentially unnoticed exploitation of user accounts and data,” the CloudSEK team concluded.
Cybernews reached out to Google, you can find the company's comments here.
More from Cybernews:
Subscribe to our newsletter