A purportedly new method allows hackers to exploit the OAuth2 authorization protocol to compromise Google accounts. This enables them to maintain valid sessions by regenerating cookies, regardless of IP or password reset attempts.
Google accounts may be susceptible to a new hack
As per security firm CloudSEK, a threat actor using the alias PRISMA has claimed to possess a powerful zero-day exploit and has devised a sophisticated method to create persistent Google cookies by manipulating tokens.
“This exploit allows uninterrupted access to Google services, even following a user’s password reset,” states the report.
OAuth 2.0, short for “Open Authorization 2.0,” is a widely adopted protocol for securing and authorizing access to internet resources. It simplifies user identity verification by leveraging their social media accounts, like Google or Facebook.
CloudSEK’s threat research team pinpointed the root of the exploit to an undocumented Google OAuth endpoint called “MultiLogin.” This internal mechanism is intended for synchronizing Google accounts across services, ensuring alignment between browser account states and Google’s authentication cookies.
The exploit’s developer demonstrated a willingness to cooperate, expediting the identification of the endpoint responsible for regenerating the cookies.
The exploit, integrated into a malware known as Lumma Infostealer on November 14th, exhibits two primary features: session persistence and cookie generation. To extract necessary secrets, tokens, and account IDs, the malware focuses on Chrome’s token_service table within the WebData of logged-in Chrome profiles.
“The session remains valid even when the account password is changed, providing a unique advantage in bypassing typical security measures,” as stated by PRISMA in the report. “The capability to generate valid cookies in the event of a session disruption enhances the attacker’s ability to maintain unauthorized access.”
Researchers observed a concerning trend of swift exploit integration across various Infostealer groups. They consider the exploitation of the undocumented Google OAuth2 MultiLogin endpoint to be a prime example of sophistication, relying on nuanced manipulation of the GAIA ID (Google Accounts and ID Administration) token. The malware conceals the exploit mechanism through a layer of encryption.
“This exploitation technique demonstrates a higher level of sophistication and understanding of Google’s internal authentication mechanisms. By manipulating the token: GAIA ID pair, Lumma can continuously regenerate cookies for Google services. Even more alarming is the fact that this exploit remains effective even after users have reset their passwords. This persistence in access allows for prolonged and potentially unnoticed exploitation of user accounts and data,” concluded the CloudSEK team.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment