Google has acknowledged a severe vulnerability that allows malware to steal files from Chrome and gain unauthorized access to Google Accounts, even after passwords have been changed [2]. This vulnerability exploits an undocumented Google OAuth endpoint called MultiLogin [5], enabling threat actors to steal session tokens and manipulate them to generate persistent Google cookies. This grants continuous access to Google services [1] [4], even after a password reset or logging out [5].

Description

Google has identified a vulnerability that allows malware to exfiltrate files from Chrome and gain access to Google Accounts [2]. This vulnerability exploits an undocumented Google OAuth endpoint called MultiLogin [5], which is used by threat actors to steal session tokens. By manipulating these tokens, hackers can generate persistent Google cookies [1] [4], granting continuous access to Google services [1] [4]. The malware strains are capable of restoring expired authentication cookies [5], known as session cookies [5], which contain authentication information [5]. This allows hackers to gain unauthorized access to victims’ Google accounts [5], even after a password reset or logging out [5].

Google has responded to this session token malware by taking action to secure compromised accounts and advising users to sign out of affected browsers or devices [2]. Users can also remotely revoke stolen sessions through their devices page. It is unclear if two-factor authentication provides any protection against this exploit [2]. The restoration process can be done multiple times without the victim’s knowledge [2], and even after a password reset [1] [2] [4] [5] [6], the exploit can still be used to gain access to the account [2]. Multiple malware groups have access to this vulnerability and are selling it [2], with some claiming to have already updated it to bypass Google’s countermeasures [2].

CloudSEK [1] [4], a cybersecurity intelligence company [1], analyzed the Chromium codebase and confirmed the existence of the MultiLogin endpoint [1], which is used for synchronizing Google accounts [1] [6]. While this feature is important for user authentication [1], it can be exploited if mishandled [1]. It is advised to avoid installing unfamiliar software to prevent potential malware installation [2].

Conclusion

This vulnerability highlights the need for more advanced security solutions to counter evolving cyber threats [3] [6]. Attackers have been exploiting an undocumented Google OAuth endpoint to hijack user sessions and maintain continuous access to Google services [4], even after a password reset [1] [2] [4] [5] [6]. Infostealers such as Lumma and Rhadamanthys have integrated this capability into their malware [4]. Google recommends users revoke stolen sessions by logging out of the impacted browser and turning on Enhanced Safe Browsing in Chrome [6]. Monitoring account activity for suspicious sessions is also advised [6]. It is crucial to stay vigilant and implement robust security measures to protect against such exploits in the future.

References

[1] https://www.csoonline.com/article/1285861/highly-exploited-chromium-bug-traced-to-a-google-oauth-endpoint.html
[2] https://9to5google.com/2024/01/02/google-account-cookies/
[3] https://thehackernews.com/2024/01/malware-using-google-multilogin-exploit.html
[4] https://www.darkreading.com/cloud-security/attackers-abuse-google-oauth-endpoint-hijack-user-sessions
[5] https://www.tomsguide.com/news/this-new-malware-exploit-can-take-over-your-google-account-even-after-a-password-reset-what-you-need-to-know
[6] https://owasp.or.id/2024/01/03/malware-using-google-multilogin-exploit-to-maintain-access-despite-password-reset/