A serious exploit affecting Google services that is being used to grant threat actors access to Google Accounts has been uncovered by cybersecurity company CloudSEK.
The exploit, which was identified in October 2023, enables continuous access to Google services even after a victim resets their password.
The malware has “rapidly spread” to a various malware groups, including Lumma, Rhadamanthys, Risepro, Meduza, Stealc, and White Snake.
Google account hijacking malware spreads rapidly
CloudSEK says the exploit allows the generation of persistent Google cookies through token manipulation, giving a threat actor continuous access to a victim’s account.
Since information about the vulnerability was exposed in October, a growing list of threat actors have been incorporating the exploit into their infostealers and malware to get access to Google accounts. At least six groups are now actively exploiting the vulnerability with their own malware.
CloudSEK’s analysis confirms that the Google OAuth endpoint, MultiLogin, which is designed to synchronize Google Accounts across services and give users a consistent user experience, is part of the key used by threat actors to break into Google Accounts.
Reverse engineering has revealed that the malware targets the token_service table of Chrome's WebData to extract tokens and account IDs from Chrome profiles.
Threat actors can use the stolen information to regenerate session cookies, which are designed to have a limited lifespan, to unlock access to a victim’s account.
Reporting by Bleeping Computer reveals that one group, Lumma, has already updated the exploit to counteract Google's mitigations, indicating that Google is already aware of the exploit. By the looks of it, though, Lumma has outsmarted the company – for now.
A Google spokesperson told TechRadar Pro in an email:
"Google is aware of recent reports of a malware family stealing session tokens. Attacks involving malware that steal cookies and tokens are not new; we routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.
"However, it’s important to note a misconception in reports that suggests stolen tokens and cookies cannot be revoked by the user. This is incorrect, as stolen sessions can be invalidated by simply signing out of the affected browser, or remotely revoked via the user's devices page. We will continue to monitor the situation and provide updates as needed."
In the meantime, users can avoid a lot of cybersecurity problems just by being careful about what they download – a lot of malware is actually ‘voluntarily’ downloaded (intentionally or unintentionally) by the victim. Chrome users can also enable Enhanced Safe Browsing to protect against phishing and malware downloads.
More from TechRadar Pro
- This devious malware will let hackers restore deleted cookies and hijack your Google account
- Worried you’ve downloaded something dodgy? Here’s the best endpoint protection
- Boost your cybersecurity with the best firewalls around