All cookies are vulnerable, but they are all it takes to compromise Google or other accounts, Trevor Hilligoss, former FBI digital crime expert and current Vice President of SpyCloud Labs, warns. This was proven by the recently discovered OAuth vulnerability.
We’re back to square one with online security. No matter the length of the password or the number of factors during your authentication, cybercrooks can compromise your accounts if malware infects your device and finds some session tokens or cookies.
Cybernews has already reported that the new exploit of the authorization protocol OAuth2 allows attackers to hijack Google accounts with far-reaching consequences and maintain persistence despite a password reset.
Cookie theft is not a new tactic to bypass authentication – valid cookies can be imported into a criminal’s system, spoofing the victim’s device. However, this method is on the rise since many users now use multi-factor authentication, making it harder to access accounts with stolen passwords, Hilligoss explained in an interview with Cybernews.
And it may become worse.
“It's much bigger than just Google. Cookie theft has been so pervasive for so long, and people are really concerned about their usernames and passwords. I feel like very few people really understand how serious cookie theft is and how difficult it is to prevent,” Hilligoss said.
Hilligoss assures that Google accounts are one of the most attractive to criminals as they contain a lot of critical personal, tax, and other information and can also be used to reset passwords of other services.
“If I get into your Gmail account, I bet you I can reset your Facebook password using your Google account. I do that in the middle of the night. You're not going to realize it until the morning. Now I've got control of your Facebook,” Hilligoss explained to Cybernews. “And the criminals do this every day.”
Crooks can use powerful information stealers like Lumma for just $250 per month without any tech knowledge.
Why cookies are so important?
A few years ago, when multi-factor authentication (MFA) wasn't widespread, most people still got into their accounts using only their username and password. Nowadays, we see MFA everywhere, as it’s an effective way to block simple credential-stuffing attacks. Hackers adapt.
“Criminals, over the past couple of years, have started using stolen authentication cookies because, effectively, you don't even have to authenticate. I don't need to try to pass a username and password because I have a valid cookie that hasn't yet expired. I can essentially just say, hey, I'm the person that's supposed to have access to this site, let me in,” Hilligoss said.
Last year, when a threat actor came out with what they referred to as a zero-day vulnerability with Google's cookie revocation policy, it was quickly integrated into multiple infostealers. This malware family is designed to infiltrate computer systems and steal sensitive information.
“It's not surprising that the infostealer community was the first to pick this up. Infostealers, for a very long time, have used cookie theft as a way to get access to accounts,” Hilligoss noted.
Authentication cookies establish an expiration time for your sessions with services. The token expires after some time, which may take minutes to months, and the user needs to re-authenticate. Malicious actors, having access to cookies and device information, no longer need to know passwords and security passphrases or have access to account recovery options.
And using web services without such tokens would feel like a nightmare.
“Say you're on your bank's website. You log in, you click on your checking account, you don't want to have to log in again. Right? Imagine if every time you clicked on a link, you'd have to go back and enter your username and password. That's not a good user experience. So that's what the cookies do for you. But the same cookie can be used by somebody else as long as it’s within that valid period,” Hilligoss explained.
Of course, websites perform additional checks to ensure the device is the same and belongs to the same user.
“Google responded, and they've made a few changes and patched some of the issues. And then they basically came out at the beginning of this month and said, you know, this is not an exploit. This is something that cookies do, this is how the technology is supposed to work, make sure that you know, go in and revoke all sessions from within your account,” Hilligoss said.
Is it easy for cybercriminals to steal session tokens/cookies?
“Malware has become very, very good at this. Most browsers store cookie material in a database locally,” Hilligoss confirmed. “When you visit your bank website, you enter your username and password, you click login. That server will provide a unique cookie to your browser. And that browser will then save that cookie into a database on your device, so the next time you access that website, it's automatically going to serve that cookie with any other cookies saved for that website.”
Hilligoss explains that malware, just like a browser, will access the same database to check if there are any cookies for banks or other services. Then, those tokens will be exported to a file locally on the victim’s device, bundled up with other system and user information, such as the screen resolution, CPU model, RAM amount, operating system, etc.
“All kinds of device-based information is going to get bundled up and then sent off to the attacker. At that point, the attacker’s able to become you. There are lots of open-source and free software that allows them to import cookies and set up their systems to look like yours to fraudulently make the browser think you’re running Windows 11 with this patch number, CPU, and all other things,” the expert said.
Then attackers just access Gmail or other accounts.
“At the end of the day, every cookie is inherently vulnerable. The problem is the malware that hits the device, less so the cookie itself.”
How do you even protect yourself from such attacks?
“The big thing is making sure that you don't get infected to begin with,” Hilligoss said. “Infostealer malware is extremely pervasive. We see literally hundreds of thousands of unique infections every single day around the world, especially in the countries that are targeted the most, that people like us live in. It’s Europe, it’s the United States. The wealthy places where the criminals can make a lot of money.”
He recommends having good endpoint monitoring, installing an antivirus, and keeping it updated.
“Don't click on ads. Generally speaking, a lot of malware spreads through ads.”
Companies should have good remediation policies, as infections still happen, and practice detecting and revoking compromised tokens very quickly to limit the damage.
Users also should revoke access to devices they no longer use. They also have limited control over how long the sessions last.
You've probably sometimes seen there's a little checkbox that says something like ‘remember this computer.’ That usually establishes a persistent cookie if you click that checkbox,” Hilligoss explained.
He recommends leaving this check box empty and logging in for a new session each time to keep the cookie expiration time the shortest.
Hilligoss also acknowledged that he’s a cybersecurity nerd personally to the extent that “my family hates me.”
“When it comes to internet security, we have a home firewall, everything is required to be encrypted – I block all unencrypted traffic. We use password managers everywhere all the time, and I can't remember the last time I created my own password. And, yes, MFA is fantastic when you can avoid email and SMS, MFA as much as possible. That's the easiest to circumvent from an actor's perspective, as SIM swapping is becoming a huge issue. If you have an app, Google Authenticator, those kinds of things are fantastic. Hardware tokens like YubiKey are great, too.”
Criminals rent powerful malware for a few hundred bucks
SpyCloud Labs specializes in dark web research and breach data analytics, and Hilligoss spends a lot of his time on the dark web.
The company has observed a powerful infostealer LummaC2, which includes the latest exploits of authentication protocol OAuth2, offered with a monthly pricing scheme, where the cheapest ‘Experienced’ plan comes for $250/month, ‘Professional’ costs $500/month’, and ‘Corporate’ doubles in price again ($1000/month).
“We're not talking about things that you have to code yourself. Any of us with 100-150 bucks in Bitcoin could buy a subscription to one of these stealers today. No coding experience is necessary. Immediately, you're equipped with all of these capabilities to regenerate Google tokens,” Hilligoss said. “This is like zero sophistication. This is the sophistication of being able to create a Bitcoin wallet, populate it with some funds, and then send it to some dude on the internet. That's it, you’re up and running, you’re a cybercriminal.”
This worrying malware-as-a-service model includes a trend of constant improvement with new techniques, a situation that Hilligoss compares to “five-year-olds with hand grenades.”
“I've been working info stealer malware for a long time, and I would say that last year has seen more new advances in info stealers than any year previously,” Hilligoss said.
“We've seen info stealers come out with modules that will steal the configuration files for remote desktop appliances. For example, if you install Anydesk and get hit with an info stealer like Lumma, that configuration file can be stolen.”
That would allow attackers to gain remote control of the device.
“There are so many threats ever advancing, ever-improving. You know, there's somebody somewhere in the world right now that's working on the V2 of this that's going to be even bigger and even more destructive. It's impossible to predict where that's going,” Hilligoss concluded. “Let's work on securing all the threats we know about, so when the next threat comes in, at least we don't have all of this stuff to worry about.”
More from Cybernews:
Subscribe to our newsletter