Several info-stealing malware strains are actively exploiting an undocumented Google OAuth endpoint named MultiLogin to take over Google accounts even after a password reset.
As reported by BleepingComputer, this exploit allows certain malware strains to restore expired authentication cookies which are then used to login to victims’ Google accounts.
Of the various browser cookies used on the web, session cookies are a special type of cookie that contain authentication information. If you’ve ever opened up your browser and went right to a site you previously logged in on, this is done using session cookies. However, these types of cookies are designed to have a short lifespan before expiring so that they can’t be used by hackers to indefinitely login to stolen accounts.
Back in November of last year, the cybercriminals behind the Lumma and Rhadamanthys info-stealing malware strains claimed that they were able to restore expired Google Authentication cookies that were stolen in cyberattacks. With these cookies in hand though, a hacker can gain unauthorized access to your Google account even after you’ve logged out, reset your password or their session has expired.
Restoring expired Google Authentication cookies
In an effort to better explain how hackers are using this new zero-day exploit, the cybersecurity firm CloudSEK has released a new report.
In the report, the firm’s researchers explain that the exploit was first revealed by a threat actor called PRISMA in a Telegram post back in October of last year. In the post, they explained that they had found a way to restore Google authentication cookies that had expired.
From here, CloudSEK then reverse engineered the exploit which led to the discovery that it uses an undocumented Google OAuth endpoint named MultiLogin which is used to synchronize accounts across a number of different Google services.
By abusing this endpoint, info-stealing malware is able to extract tokens and account IDs from Chrome profiles that are logged into a Google account. Within this stolen information, there are two critical pieces of data: a GAIA ID and encrypted tokens. These encrypted tokens are decrypted using an encryption stored within Chrome’s “Local State” file and this encryption key can also be used to decrypt any saved passwords in a victim’s browser.
By using the stolen tokens and Google’s MultiLogin endpoint, hackers can regenerate expired Google Service cookies and maintain persistent access to compromised accounts. It’s worth noting though that an authentication cookie can only be regenerated once if a user resets their Google password. If they don’t though, it can be regenerated multiple times.
How to stay safe from attacks exploiting this zero-day flaw
Fortunately, Google is aware of this issue and in a statement to The Hacker News, a company spokesperson has provided further details along with some tips on how users can protect themselves while using Chrome.
Stealing cookies and session tokens is nothing new and as the search giant points out, it has “taken action to secure any compromised accounts detected.” Likewise, Google’s spokesperson points out that “simply signing out of the affected browser” will revoke a user’s session cookies. At the same time, the company recommends that users turn on Enhanced Safe Browsing in Chrome for additional protection against malware and phishing attacks.
You should also regularly change your Google password to keep your account safe from hackers. If you have a hard time coming up with new passwords, a password generator can help and all of the best password managers also offer this feature. As for protecting yourself and your devices from malware and hackers, you should be using the best antivirus software on your PC, the best Mac antivirus software on your Apple computers and one of the best Android antivirus apps on your Android smartphone.
Now that hackers have figured out how to add the ability to restore session cookies to their malware, expect more malware strains to adopt this feature as Google works to crack down on cookie and token theft in Chrome.