Google is trying to downplay the security risk of cookies as nothing new
Security researchers recently warned of new malware that can revive expired authentication tokens via a Google Chrome API.
This feature is one-time, but still dangerous because it allows cybercriminals to stay logged into their victims' Google accounts for longer.
However, Google is now trying to downplay the significance of the vulnerability, essentially stating that it is nothing more than simple theft of session cookies.
Vulnerability, or not?
In a statement shared with BleepingComputersaid the search engine giant: “Google is aware of recent reports of a malware family that steals session tokens. Attacks involving malware that steal cookies and tokens are not new; we routinely upgrade our defenses against such techniques and to protect users who fall victim to malware. In this case, Google has taken action to secure the compromised accounts it detected.”
Citing people familiar with the matter, the publication further stated that Google doesn't actually see this as a vulnerability, but instead believes the API works as intended. The search engine giant advised users to log out of their Chrome browser and end all active sessions via g.co/mydevices as this will invalidate the Refresh token.
“In the meantime, users should take ongoing steps to remove any malware from their computers, and we recommend enabling Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads,” Google added.
The advice is good, but this is something that people rarely do proactively, and by the time they are infected with malware it is already too late.
In late November 2023, cybersecurity researchers at Hudson Rock warned that the latest version of the Lumma infostealer was observed to be able to recover expired Google cookies. The team discovered an advertisement for the feature posted on a dark web forum stating that the version released on November 14 “can recover dead cookies using a key from recovery files.” The advertisement further emphasizes that this only applies to Google cookies.