Connect with us

Hi, what are you looking for?


Malware & Threats

Several Infostealers Using Persistent Cookies to Hijack Google Accounts

A vulnerability in Google’s authentication process allows malware to restore cookies and hijack user sessions.

Multiple information stealers have been adopting a new technique that allows them to restore Google cookies and compromise accounts even if the victims change their passwords, threat intelligence firm CloudSEK reports.

A vulnerability in Google’s authentication process, described by some as a zero-day, allows threat actors to regenerate persistent Google cookies and gain continuous access to Google services, and information stealers have been exploiting it in the wild for over a month and a half, the cybersecurity firm says.

The issue is related to the undocumented MultiLogin endpoint, a mechanism for synchronizing accounts across Google services, when used in combination with account ID and tokens extracted from Chrome.

The browser stores the Google Accounts and ID Administration (GAIA) IDs and the encrypted tokens for all logged-in accounts and the attackers extract the pair and decrypt the tokens “using an encryption key stored in Chrome’s Local State within the UserData directory”, CloudSEK explains.

Part of Google’s OAuth system, MultiLogin works by accepting a vector of account IDs and auth-login tokens, playing a vital role in user authentication.

What threat actors discovered was that they could extract the token-GAIA ID pair from Google and use it in conjunction with the MultiLogin endpoint to regenerate Google cookies, for persistent access.

The malware developer who made the discovery initially announced it in October and, by mid-November, the prominent infostealer family Lumma had implemented the technique.

“This will result in a major shift in the cybercrime world, enabling hackers to infiltrate even more accounts and perform significant attacks. It is important to note that it’s not just ordinary Gmail accounts that are accessed through Google, but rather a lot of corporate email addresses belonging to organizations that will likely suffer ransomware attacks, and other types of cyberattacks,” Hudson Rock co-founder and CTO Alon Gal warned at the time.

Advertisement. Scroll to continue reading.

Lumma, CloudSEK discovered, encrypted the token-GAIA ID pair with its own keys, to prevent other malware families from implementing the mechanism. However, it did not take long for others to adopt it and, by the end of December, six other infostealers were leveraging the technique.

According to Hudson Rock, the technique will likely be adopted by all infostealer groups unless Google – which was alerted over a month ago – steps up.

“Even more alarming is the fact that this exploit remains effective even after users have reset their passwords. This persistence in access allows for prolonged and potentially unnoticed exploitation of user accounts and data,” CloudSEK notes.

SecurityWeek has emailed Google for a statement on this attack and will update this article as soon as a reply arrives.

UPDATE: Google has provided the following statement:

Google is aware of recent reports of a malware family stealing session tokens. Attacks involving malware that steal cookies and tokens are not new; we routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected. 

However, it’s important to note a misconception in reports that suggests stolen tokens and cookies cannot be revoked by the user. This is incorrect, as stolen sessions can be invalidated by simply signing out of the affected browser, or remotely revoked via the user’s devices page. We will continue to monitor the situation and provide updates as needed.

In the meantime, users should continually take steps to remove any malware from their computer, and we recommend turning on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads.

Related: macOS Info-Stealer Malware ‘MetaStealer’ Targeting Businesses

Related: Hacker Forum Credentials Found on 120,000 PCs Infected With Info-Stealer Malware

Related: Threat Actors Adopt, Modify Open Source ‘SapphireStealer’ Information Stealer

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.