Google accounts may be vulnerable to new hack, changing password won’t help

A new method allegedly enables hackers to exploit authorization protocol OAuth2 functionality to compromise Google accounts and maintain valid sessions by regenerating cookies despite IP or password reset.

According to security firm CloudSEK, a threat actor under the alias PRISMA boasted a potent zero-day exploit and developed a sophisticated solution to generate persistent Google cookies through token manipulation.

“This exploit enables continuous access to Google services, even after a user's password reset,” the report reads.

OAuth 2.0 stands for “Open Authorization 2.0” and is a widely used protocol for securing and authorizing access to resources on the internet. It makes verifying user identity easy by tapping into their social media accounts, such as Google or Facebook.

CloudSEK's threat research team identified the exploit's root at an undocumented Google Oauth endpoint named “MultiLogin.” This is an internal mechanism designed for synchronizing Google accounts across services, which ensures that browser account states align with Google’s authentication cookies.

The developer of the exploit “expressed openness to cooperation,” which accelerated the discovery of the endpoint responsible for regenerating the cookies.

The exploit, incorporated in a malware called Lumma Infostealer on November 14th, boasts two key features: session persistence and cookie generation. To exfiltrate the required secrets, tokens, and account IDs, the malware targets Chrome’s token_service table of WebData of logged-in Chrome profiles.

“The session remains valid even when the account password is changed, providing a unique advantage in bypassing typical security measures,” the report quotes PRISMA. “The capability to generate valid cookies in the event of a session disruption enhances the attacker's ability to maintain unauthorized access.”

Researchers noted a concerning trend of rapid exploit integration among various Infostealer groups. They think the exploitation of undocumented Google OAuth2 MultiLogin endpoint provides a textbook example of sophistication, as the approach hinges on a nuanced manipulation of the GAIA ID (Google Accounts and ID administration) token. Malware masks the mechanism of exploit using a layer of encryption.

“This exploitation technique demonstrates a higher level of sophistication and understanding of Google’s internal authentication mechanisms. By manipulating the token: GAIA ID pair, Lumma can continuously regenerate cookies for Google services. Even more alarming is the fact that this exploit remains effective even after users have reset their passwords. This persistence in access allows for prolonged and potentially unnoticed exploitation of user accounts and data,” the CloudSEK team concluded.

‍Cybernews reached out to Google, you can find the company's comments here.

More from Cybernews:

Clash of Clans gamers at risk while using third-party app

Cybernews podcast unpacks 2023's AI odyssey

Top ten biggest security incidents of 2023

Hackers expose masses of personal data on dark web during Christmas

Google settles $5 billion consumer privacy lawsuit

Subscribe to our newsletter


Xzavier Aleister Carsten
prefix 5 months ago
I'm curious though! What if you use 2 step verification?
dylan d
prefix 5 months ago
2FA doesn't matter for this. The sessions are already authenticated. 2FA isn't going to protect you for this exploit.
prefix 5 months ago
I was hoping somewhere within this article would provide a solution. What do I do now to protect myself?
prefix 5 months ago
Clearly not a zero day. You account needs to have been compromised by some other means first..
prefix 5 months ago
All they need to do is expire the session and force the user to log in again with the new password whenever it's changed. Some sites already do this, although it can be annoying from a user's perspective.
danga lang
prefix 5 months ago
when it comes to security, everything is annoying from a user's perspective
Leave a Reply

Your email address will not be published. Required fields are markedmarked