Accounts in danger: Google recommends enhanced safe browsing and extra care

After reports of a new malware strain stealing and maintaining Google sessions, the tech giant is encouraging users to enable enhanced safe browsing and recommends extra security against malware.

As reported by Cybernews, a new hack is in the wild exploiting authorization protocol OAuth2 functionality. The new exploit allows cyberattackers to compromise Google accounts and maintain valid sessions by regenerating cookies despite an IP or password reset.

“Google is aware of recent reports of a malware family stealing session tokens. Attacks involving malware that steal cookies and tokens are not new – we routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected,” Kim Samra, Security Communications Manager for Google, said.

However, they noted an important misconception in reports that suggest stolen tokens and cookies cannot be revoked by the user.

“This is incorrect, as stolen sessions can be invalidated by simply signing out of the affected browser or remotely revoked via the user's devices page. We will continue to monitor the situation and provide updates as needed,” the spokesperson said.

In the meantime, Samra recommends that users continually take steps to remove any malware from their computer.

“And we recommend turning on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads,” Samra added.

The new exploit targets OAuth 2.0, which stands for “Open Authorization 2.0” and is a widely used protocol for securing and authorizing access to resources on the internet. According to security firm CloudSEK, a threat actor named PRISMA claimed this potent zero-day exploit can continuously access Google services even after a user's password reset.

The threat actor incorporated the exploit in a malware called Lumma Infostealer on November 14th. To exfiltrate the required secrets, tokens, and account IDs, the malware targets Chrome’s token_service table of WebData of logged-in Chrome profiles. Then, the infostealer is allegedly able to maintain session persistence and the ability to regenerate cookies.

The approach hinges on a nuanced manipulation of the GAIA ID (Google Accounts and ID administration) token. Malware masks the mechanism of exploit using a layer of encryption.

Researchers also noted a concerning trend of rapid exploit integration among various Infostealer groups, such as Rhadamanthys, Risepro, Meduza, and Stealc Stealer, which all adopted this technique.

Cybersecurity firm Hudson Rock noticed at least 5 Infostealer groups taking advantage of the exploit. The firm’s researchers spoke to one developer who claims they came up with this 0-day back in October 2023, were selling it independently, and provided a video demonstration.