Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Craig Hale

This dangerous malware is able to hijack your Google Account by reviving cookies

Passwords.

A serious exploit affecting Google services that is being used to grant threat actors access to Google Accounts has been uncovered by cybersecurity company CloudSEK.

The exploit, which was identified in October 2023, enables continuous access to Google services even after a victim resets their password.

The malware has “rapidly spread” to a various malware groups, including Lumma, Rhadamanthys, Risepro, Meduza, Stealc, and White Snake.

Google account hijacking malware spreads rapidly

CloudSEK says the exploit allows the generation of persistent Google cookies through token manipulation, giving a threat actor continuous access to a victim’s account.

Since information about the vulnerability was exposed in October, a growing list of threat actors have been incorporating the exploit into their infostealers and malware to get access to Google accounts. At least six groups are now actively exploiting the vulnerability with their own malware.

CloudSEK’s analysis confirms that the Google OAuth endpoint, MultiLogin, which is designed to synchronize Google Accounts across services and give users a consistent user experience, is part of the key used by threat actors to break into Google Accounts.

Reverse engineering has revealed that the malware targets the token_service table of Chrome's WebData to extract tokens and account IDs from Chrome profiles.

Threat actors can use the stolen information to regenerate session cookies, which are designed to have a limited lifespan, to unlock access to a victim’s account.

Reporting by Bleeping Computer reveals that one group, Lumma, has already updated the exploit to counteract Google's mitigations, indicating that Google is already aware of the exploit. By the looks of it, though, Lumma has outsmarted the company – for now.

A Google spokesperson told TechRadar Pro in an email:

"Google is aware of recent reports of a malware family stealing session tokens. Attacks involving malware that steal cookies and tokens are not new; we routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.

"However, it’s important to note a misconception in reports that suggests stolen tokens and cookies cannot be revoked by the user. This is incorrect, as stolen sessions can be invalidated by simply signing out of the affected browser, or remotely revoked via the user's devices page. We will continue to monitor the situation and provide updates as needed."

In the meantime, users can avoid a lot of cybersecurity problems just by being careful about what they download – a lot of malware is actually ‘voluntarily’ downloaded (intentionally or unintentionally) by the victim. Chrome users can also enable Enhanced Safe Browsing to protect against phishing and malware downloads.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.