Information stealing malware are actively taking advantage of an undocumented Google OAuth endpoint named MultiLogin to hijack user sessions and allow continuous access to Google services even after a password reset.
According to CloudSEK, the critical exploit facilitates session persistence and cookie generation, enabling threat actors to maintain access to a valid session in an unauthorized manner.
The technique was first revealed by a threat actor named PRISMA on October 20, 2023, on their Telegram channel. It has since been incorporated into various malware-as-a-service (MaaS) stealer families, such as Lumma, Rhadamanthys, Stealc, Meduza, RisePro, and WhiteSnake.
The MultiLogin authentication endpoint is primarily designed for synchronizing Google accounts across services when users sign in to their accounts in the Chrome web browser (i.e., profiles).
A reverse engineering of the Lumma Stealer code has revealed that the technique targets the "Chrome's token_service table of WebData to extract tokens and account IDs of chrome profiles logged in," security researcher Pavan Karthick M said. "This table contains two crucial columns: service (GAIA ID) and encrypted_token."
This token:GAIA ID pair is then combined with the MultiLogin endpoint to regenerate Google authentication cookies.
Karthick told The Hacker News that three different token-cookie generation scenarios were tested –
- When the user is logged in with the browser, in which case the token can be used any number of times.
- When the user changes the password but lets Google remain signed in, in which case the token can only be used once as the token was already used once to let the user remain signed in.
- If the user signs out of the browser, then the token will be revoked and deleted from the browser's local storage, which will be regenerated upon logging in again.
When reached for comment, Google acknowledged the existence of the attack method but noted that users can revoke the stolen sessions by logging out of the impacted browser.
"Google is aware of recent reports of a malware family stealing session tokens," the company told The Hacker News. "Attacks involving malware that steal cookies and tokens are not new; we routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected."
"However, it's important to note a misconception in reports that suggests stolen tokens and cookies cannot be revoked by the user," it further added. "This is incorrect, as stolen sessions can be invalidated by simply signing out of the affected browser, or remotely revoked via the user's devices page. We will continue to monitor the situation and provide updates as needed."
The company further recommended users turn on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads.
"It's advised to change passwords so the threat actors wouldn't utilize password reset auth flows to restore passwords," Karthick said. "Also, users should be advised to monitor their account activity for suspicious sessions which are from IPs and locations which they don't recognize."
"Google's clarification is an important aspect of user security," said Hudson Rock co-founder and chief technology officer, Alon Gal, who previously disclosed details of the exploit late last year.
"However, the incident sheds light on a sophisticated exploit that may challenge the traditional methods of securing accounts. While Google's measures are valuable, this situation highlights the need for more advanced security solutions to counter evolving cyber threats such as in the case of infostealers which are tremendously popular among cybercriminals these days."
(The story was updated after publication to include additional comments from CloudSEK and Alon Gal.)
