Several malware families can give hackers access to Google accounts. For this, the malware abuses an OAuth2 functionality provided by Google. It is not possible to lock out the hacker by changing the password of an affected account.
The Google OAuth2 endpoint MultiLogin would be exploitable for breaking into Google accounts. Through the exploit, hackers steal session cookies, which contain login information. This cookie type remembers the login credentials so that users can access their accounts without entering the username and password each time. It can be used for accessing online services that authenticate you through your Google account.
It involves full authentication, in which two-step verification is bypassed because it is automatically generated from a previous session. Because of the sensitivity of the information contained in these types of cookies, the lifetime of session cookies should be short.
However, MultiLogin allows hackers to recover session cookies from Google. Breaking into a Google account is then possible by using an infostealer malware. Moreover, the exploit automatically generates the latest authentication information. This means the problem is not solved with a password change. That’s not the only problem because hackers can additionally maintain access for a long time. It is an option to re-generate the cookies should the hacker’s open session get interrupted.
Malware for sale online
There are several malware families in circulation, and, according to CloudSEK, there is evidence hackers abuse the exploit. This company’s research team discovered MulitLogin and published a blog with their findings. The evidence that cybercriminals already know about the exploit was actually the beginning point of the research. This came to the knowledge of the researchers through a Telegram message from threat actor “PRISMA”.
In the meantime, six info-stealers malware have already been found. Among the families is the Lumma Infostealer. This type of malware is known for stealing the following sensitive information: crypto wallets, browser extensions and codes for two-step verification. Lumma has been traded since 2022.
Convenience over security?
Google itself did not respond to the discovery and the misuse of MultiLogin has not been officially confirmed. The Hudson Rock team, which also investigates the exploit in another research, says Google is taking no action. They speculate that session cookies will also not be disabled for the sake of ease of use. Google recently released another tool for checking for leaks that expose your password. However, the feature will not be able to detect this specific exploit.
Also read: Google Chrome has Safety Check: controls and needs control
To protect your credentials from cookie theft, it is generally recommended not to use built-in services that save passwords. Otherwise, it is always wise to use such services only if a master password protects the data. In addition, it is recommended to change your settings to delete cookies automatically after closing the browser.