A cybersecurity firm has discovered a serious exploit that affects Google services and is used to give threat actors access to Google accounts CloudSEK.
The exploit, identified in October 2023, allows continued access to Google services even after a victim resets their password.
The malware has “rapidly spread” to several malware groups, including Lumma, Rhadamanthys, Risepro, Meduza, Stealc and White Snake.
Malware that hijacks Google accounts is spreading quickly
CloudSEK says the exploit makes it possible to generate persistent Google cookies through token manipulation, giving a threat actor continuous access to a victim's account.
Since information about the vulnerability came to light in October, a growing list of threat actors have incorporated the exploit into their infostealers and malware to gain access to Google accounts. At least six groups are now actively exploiting the vulnerability with their own malware.
CloudSEK's analysis confirms that the Google OAuth endpoint, MultiLogin, which is designed to sync Google accounts across services and provide users with a consistent user experience, is part of the key used by threat actors to break into Google accounts.
Reverse engineering has shown that the malware targets the token_service table of Chrome's WebData to extract tokens and account IDs from Chrome profiles.
Threat actors can use the stolen information to regenerate session cookies, which are designed to have a limited lifespan, to unlock access to a victim's account.
Reporting by Beeping computer reveals that one group, Lumma, has already updated the exploit to counter Google's actions, indicating that Google is already aware of the exploit. But it looks like Lumma has outsmarted the company – for now.
Ny Breaking Google has asked for more information about how users can protect themselves and whether the company will implement additional protection measures. In the meantime, users can avoid many cybersecurity issues by simply being careful about what they download; much malware is actually 'voluntarily' downloaded (intentionally or unintentionally) by the victim.