Google Endpoint Exploit Lets Hackers Hijack Accounts

In a troubling development in cybersecurity, multiple information-stealing malware families have been found exploiting an undocumented Google OAuth endpoint, identified as "MultiLogin," to regenerate expired authentication cookies. This discovery, initially made by a developer named PRISMA in October 2023, presents a significant threat to Google account security.

Hudson Rock’s Alon Gal was the first to discover this vulnerability being allegedly leveraged, after exploitation of it was added to the feature list of an info-stealer malware called Lumma. While it is not certain as of yet whether this functionality works, it has been found to have been implemented in other information stealer malware since. BleepingComputer reported that the exploit had been adopted in the malware Rhadamanthys, Risepro, Meduza, Stealc Stealer, and possibly more.

This exploit is particularly alarming because session cookies, which should have a limited lifespan for security, could be manipulated for prolonged unauthorized access. It can even work after users have reset the password on their Google account.

The malware involved rely on Chrome’s token_service table of WebData, targeting tokens and account IDs of Chrome profiles. Once extracted, the encrypted tokens are decrypted using a key stored in Chrome's Local State. This same key is also employed for decrypting saved passwords in browsers, adding another layer of vulnerability.

Researchers at CloudSEK reverse-engineered the exploit and discovered its dependence on an undocumented "MultiLogin" endpoint. This endpoint is a part of Google's internal mechanism designed for synchronizing Google accounts across services. It handles account IDs and auth-login tokens for managing concurrent sessions or transitioning between user profiles. The exploit uses this endpoint to regenerate Google service cookies by manipulating the token:GAIA ID pair.

Despite multiple attempts by BleepingComputer and Hudson Rock to alert Google about this ongoing exploit, there has been no official response from the tech giant.

Adding to the complexity, the malware developers continuously update their methods to bypass Google's mitigations. For instance, Lumma's developers recently released an update to counteract new measures imposed by Google, This suggests Google is aware of the exploit but has yet to address it fully.

As the exploit becomes increasingly widespread among various infostealer groups, the urgency for a robust solution from Google intensifies. Until then, users are advised to exercise caution, particularly in downloading files from dubious sources, and to remain vigilant in monitoring their account activities. The cybersecurity community remains watchful, awaiting Google's response to this significant challenge to its security infrastructure.