A recent security report reveals that information-stealing malware is exploiting a previously undocumented Google OAuth endpoint known as MultiLogin. This vulnerability allows cybercriminals to hijack user sessions, granting them continuous access to Google services even after victims have conducted password resets. This revelation has raised significant concerns regarding user privacy and account security.
CloudSEK reported that this critical exploit enables unauthorized session persistence and cookie generation, effectively permitting malicious actors to maintain access to compromised accounts without detection. The technique was initially disclosed by a hacker known as PRISMA on October 20, 2023, via Telegram, and has subsequently been integrated into various malware-as-a-service stealer families, including prominent threats like Lumma, Rhadamanthys, Stealc, Meduza, RisePro, and WhiteSnake.
The MultiLogin endpoint was originally intended to synchronize Google accounts across services when users log into their accounts through Chrome. In-depth analysis of the Lumma Stealer code has revealed that the malware specifically targets Chrome’s token_service table within WebData. This table contains critical information, such as the GAIA ID and an encrypted token linked to logged-in Chrome profiles, facilitating the regeneration of Google authentication cookies.
Researcher Pavan Karthick conducted tests on multiple token-cookie generation scenarios, revealing that the exploit’s effectiveness relies on the user’s account status. These scenarios include situations where the user is logged in, where the password is changed but Google remains signed in, and where the user logs out, leading to token revocation and deletion from local storage.
In response to these alarming findings, Google has confirmed its awareness of the exploit, emphasizing that users have the ability to revoke any stolen sessions by logging out of affected browsers. The company’s statement highlights ongoing efforts to enhance defenses against cookie and token theft, asserting that they routinely update security measures to safeguard users against such attacks.
It is crucial to dispel the misconception that stolen tokens or cookies remain irrevocable. Google reassures users that they can invalidate compromised sessions by logging out or remotely revoking access through their device management page. As a security precaution, Google urges users to enable Enhanced Safe Browsing in Chrome, which adds an additional layer of protection against potential phishing attacks and malware downloads.
Karthick also advises users to proactively change their passwords and actively monitor account activity for any suspicious sessions originating from unfamiliar IPs or locations. With advanced threats like infostealers proliferating in the cybercriminal landscape, the need for more robust security measures remains paramount.
Alon Gal, co-founder and CTO of Hudson Rock, emphasizes the incident’s significance in highlighting a sophisticated exploit that challenges traditional account security methods. The situation underscores the necessity for ongoing vigilance against ever-evolving cyber threats, particularly for business owners invested in safeguarding sensitive data.
This article is intended to provide business owners with vital information regarding current cybersecurity threats and best practices for maintaining account integrity and security.
