Some malware designed to steal information they are exploiting actively running an undocumented Google OAuth endpoint called MultiLogin to hijack user sessions and allow continued access to Google services even after a password reset, problem that concerns Google Chromecomputer literacyAlthough not much time has passed since the last (or rather the regarding this problem), Google faces another challenge, namely the MultiLogin endpoint.
What is the problem with Google OAuth multilogin
According to CloudSEK, thecritical exploit facilitates session persistence and cookie generationallowing threat actors to maintain access to a valid session in an unauthorized manner.
The technique was first revealed by a threat actor called PRISMA on October 20, 2023, on their Telegram channel: it has since been incorporated into various malware-as-a-service families (MaaS) for information theftsuch as Lumma, Rhadamanthys, Stealc, Meduza, RisePro and WhiteSnake.
The MultiLogin authentication endpoint is mainly designed to sync Google accounts across different services when users log in to their accounts in Chrome browser (for example, the profiles).
A reverse engineering of the Lumma Stealer code revealed that the technique aims to “Chrome WebData token_service table to extract tokens and account IDs of connected Chrome profiles“said security researcher Pavan Karthick M. “This table contains two crucial columns: service (GAIA ID) and encrypted_token.”
This token pair:GAIA ID it is then combined with the MultiLogin endpoint to regenerate the Google authentication cookies.
Karthick stated to that Three different token-cookie generation scenarios were tested:
- When the user is connected to the browser, in this case the token can be used an unlimited number of times.
- When the user changes their password but leaves Google logged in, in this case the token can only be used once since the token has already been used to keep the user logged in.
- If the user logs out of the browser, the token will be revoked and deleted from the browser's local memory, and will be regenerated at the next access.
When asked for comment, Google acknowledged the existence of the attack method but stressed that users can revoke stolen sessions by logging out of the affected browser.
“Google is aware of recent reports of a malware family that steals session tokens“, the company said. “Attacks involving malware that steals cookies and tokens are not new; We regularly update our defenses against such techniques and to protect users who fall victim to malware. In this case, Google took steps to protect the compromised accounts it detected.”
“However, it is important to note a misinterpretation in the reports that suggests that stolen tokens and cookies cannot be revoked by the user“, he added. “This is wrong, as stolen sessions can be invalidated simply by logging out of the affected browseror revoked remotely via the devices page of the user. We will continue to monitor the situation and provide updates as necessary.”
The company also advised users to activate the advanced safe browsing in Chrome to protect against phishing and malware downloads.
“It is recommended to change your passwords so that cybercriminals cannot use authentication flows to reset passwords“Karthick said. “Additionally, users should be advised to monitor their account activity for suspicious sessions coming from IP addresses and locations they do not recognize.”
“Google's clarification is an important aspect of user safety“said Alon Gal, co-founder and chief technology officer of Hudson Rock, who previously disclosed details about the exploit late last year. “However, the incident highlights a sophisticated exploit that could challenge traditional methods of account security. While Google's measures are valuable, This situation highlights the need for more advanced security solutions to counter evolving cyber threatsas is the case with infostealers which are extremely popular among cyber criminals these days.”
#Google39s #MultiLogin #exploited #informationstealing #malware