Title: Zero-Day Google Account Exploit Allows Access to Compromised Accounts
In a shocking discovery, researchers have identified a critical vulnerability in Google account security that enables info-stealing malware to gain access to compromised accounts, even after users have changed their passwords. This zero-day exploit was first teased by a cybercriminal known as “PRISMA” in October 2023, and has since become a cause for concern among experts.
The exploit works by exploiting an undocumented Google OAuth endpoint called “MultiLogin,” as identified by the CloudSEK researchers. Once the malware gains access, it can generate new session tokens, granting it entry into victims’ emails, cloud storage, and other sensitive information. At least six malware families, including Lumma and Rhadamanthys, have implemented this exploit to compromise Google accounts.
What makes this exploit particularly alarming is that it can continue to access accounts even if the user changes their password. This is because the malware steals users’ session tokens, which remain active even after a password reset. As a result, users are strongly advised to log out completely to invalidate their tokens and prevent further exploitation.
To regain control over compromised accounts, the stolen token:GAIA ID pairs are utilized with MultiLogin to regenerate Google service cookies. This process allows cybercriminals to access and manipulate the compromised accounts, posing a significant threat to users’ privacy and security.
The discovery of this exploit sheds light on the high level of sophistication among cybercriminals. Lumma, for instance, has recently introduced SOCKS proxies to bypass Google’s IP-based restrictions on token regeneration. Furthermore, the encryption of traffic between the malware’s command and control servers only makes it harder for security measures to detect the malicious activity.
Despite the gravity of the situation, Google has not yet responded to requests for information regarding its plans to address this threat. However, the tech giant suggests that users can revoke stolen tokens and cookies by signing out of the affected browser or remotely through the user’s devices page.
To safeguard themselves, users are strongly advised to remove any malware from their computers and enable Enhanced Safe Browsing in Chrome. This feature acts as an additional layer of protection against phishing attempts and malware downloads.
As the world becomes increasingly reliant on technology, it is crucial for individuals to stay informed about potential threats and take proactive measures to secure their accounts and personal information.
Internet geek. Wannabe bacon enthusiast. Web trailblazer. Music maven. Entrepreneur. Pop culture fan.