Information-stealing malware is actively exploiting an undocumented Google OAuth endpoint called MultiLogin to hijack user sessions and allow continued access to Google services even after a password reset.
According to CloudSEK, the critical vulnerability facilitates session persistence and cookie generation, allowing threat actors to maintain access to valid sessions in an unauthorized manner.
This technique was first revealed by a threat actor named PRISMA on October 20, 2023 on their Telegram channel. It has since been incorporated into various malware-as-a-service (MaaS) stealth program families, such as Lumma, Rhadamanthys, Stealc, Meduza, RisePro, and WhiteSnake.
The MultiLogin authentication endpoint is primarily designed to sync Google Accounts across services when a user logs into their account (i.e. profile) in the Chrome web browser.
Security researcher Pavan Karthick M said that reverse engineering of the Lumma Stealer code revealed that the technique targets “Chrome’s WebData token_service table to extract the token and account ID of the logged-in Chrome profile.” “This table contains two key columns: service (GAIA ID) and cryptographic token.”
Then, combine this token:GAIA ID pair with the MultiLogin endpoint to regenerate the Google authentication cookie.
When contacted for comment, Google acknowledged the existence of this attack method but noted that users can revoke stolen sessions by exiting the affected browser.
“Google is aware of recent reports of a malware family stealing session tokens,” the company told The Hacker News. “Attacks involving cookie and token-stealing malware are not new; we regularly update our capabilities to target these types of techniques. defensive measures and to protect users who fell victim to malware. In this case, Google has taken action to protect any compromised accounts detected.”
“However, it is important to note a misconception in the report, namely that users cannot revoke stolen tokens and cookies,” it further added. “This is incorrect, as stolen sessions can be invalidated simply by exiting the affected browser, or revoked remotely via the user’s device page. We will continue to monitor the situation and provide updates as needed.”
The company further recommends that users turn on the enhanced Safe Browsing feature in Chrome to prevent phishing and malware downloads.
