Multiple information stealers have been adopting a new technique that allows them to restore Google cookies and compromise accounts even if the victims change their passwords, threat intelligence firm CloudSEK reports.
A vulnerability in Google’s authentication process, described by some as a zero-day, allows threat actors to regenerate persistent Google cookies and gain continuous access to Google services, and information stealers have been exploiting it in the wild for over a month and a half, the cybersecurity firm says.
The issue is related to the undocumented MultiLogin endpoint, a mechanism for synchronizing accounts across Google services, when used in combination with account ID and tokens extracted from Chrome.
The browser stores the Google Accounts and ID Administration (GAIA) IDs and the encrypted tokens for all logged-in accounts and the attackers extract the pair and decrypt the tokens “using an encryption key stored in Chrome’s Local State within the UserData directory”, CloudSEK explains.
Part of Google’s OAuth system, MultiLogin works by accepting a vector of account IDs and auth-login tokens, playing a vital role in user authentication.
What threat actors discovered was that they could extract the token-GAIA ID pair from Google and use it in conjunction with the MultiLogin endpoint to regenerate Google cookies, for persistent access.
The malware developer who made the discovery initially announced it in October and, by mid-November, the prominent infostealer family Lumma had implemented the technique.
“This will result in a major shift in the cybercrime world, enabling hackers to infiltrate even more accounts and perform significant attacks. It is important to note that it’s not just ordinary Gmail accounts that are accessed through Google, but rather a lot of corporate email addresses belonging to organizations that will likely suffer ransomware attacks, and other types of cyberattacks,” Hudson Rock co-founder and CTO Alon Gal warned at the time.
Lumma, CloudSEK discovered, encrypted the token-GAIA ID pair with its own keys, to prevent other malware families from implementing the mechanism. However, it did not take long for others to adopt it and, by the end of December, six other infostealers were leveraging the technique.
According to Hudson Rock, the technique will likely be adopted by all infostealer groups unless Google – which was alerted over a month ago – steps up.
“Even more alarming is the fact that this exploit remains effective even after users have reset their passwords. This persistence in access allows for prolonged and potentially unnoticed exploitation of user accounts and data,” CloudSEK notes.
SecurityWeek has emailed Google for a statement on this attack and will update this article as soon as a reply arrives.
UPDATE: Google has provided the following statement:
Google is aware of recent reports of a malware family stealing session tokens. Attacks involving malware that steal cookies and tokens are not new; we routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.
However, it’s important to note a misconception in reports that suggests stolen tokens and cookies cannot be revoked by the user. This is incorrect, as stolen sessions can be invalidated by simply signing out of the affected browser, or remotely revoked via the user’s devices page. We will continue to monitor the situation and provide updates as needed.
In the meantime, users should continually take steps to remove any malware from their computer, and we recommend turning on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads.