According to a report provided by CloudSEK, a new hacking method allows attackers to exploit the functionality of the OAuth 2.0 authorization protocol to compromise Google accounts. This method allows you to maintain valid sessions by regenerating cookies, even after changing your IP address or password.
An attack carried out using an undocumented Google Oauth access point called "MultiLogin" was discovered by a team of CloudSEK researchers. "MultiLogin" is an internal mechanism designed to synchronize Google accounts across different services, ensuring that account states in the browser match Google's authentication cookies.
It is noted that the developer of the exploit expressed his readiness to cooperate, which accelerated the discovery of the access point responsible for regenerating cookies.
The exploit was integrated into the Lumma Infostealer malware on November 14. Key features of Lumma include session persistence and cookie generation. The program aims to extract the necessary secrets, tokens and account IDs by attacking the token_service table in the WebData of logged-in Chrome profiles.
“The session remains valid even when the account password is changed, which represents a unique advantage in bypassing typical security measures,” the report quotes PRISMA, the author of the exploit, as saying.
Researchers have noted an alarming trend of rapid integration of exploits among various cybercriminal groups. Exploiting Google's undocumented OAuth2 MultiLogin access point is a prime example of complexity, as the approach relies on subtle manipulation of the Google Accounts and ID administration (GAIA) token. The malware hides the exploit mechanism using an encryption layer.
This exploitation technique demonstrates a high level of sophistication and understanding of Google's internal authentication mechanisms. By manipulating the "token:GAIA ID" pair, Lumma can continually regenerate cookies for Google services. What's particularly troubling is that this exploit remains effective even after users' passwords are reset, allowing for continued and potentially undetectable exploitation of user accounts and data," the CloudSEK team concluded.
An attack carried out using an undocumented Google Oauth access point called "MultiLogin" was discovered by a team of CloudSEK researchers. "MultiLogin" is an internal mechanism designed to synchronize Google accounts across different services, ensuring that account states in the browser match Google's authentication cookies.
It is noted that the developer of the exploit expressed his readiness to cooperate, which accelerated the discovery of the access point responsible for regenerating cookies.
The exploit was integrated into the Lumma Infostealer malware on November 14. Key features of Lumma include session persistence and cookie generation. The program aims to extract the necessary secrets, tokens and account IDs by attacking the token_service table in the WebData of logged-in Chrome profiles.
“The session remains valid even when the account password is changed, which represents a unique advantage in bypassing typical security measures,” the report quotes PRISMA, the author of the exploit, as saying.
Researchers have noted an alarming trend of rapid integration of exploits among various cybercriminal groups. Exploiting Google's undocumented OAuth2 MultiLogin access point is a prime example of complexity, as the approach relies on subtle manipulation of the Google Accounts and ID administration (GAIA) token. The malware hides the exploit mechanism using an encryption layer.
This exploitation technique demonstrates a high level of sophistication and understanding of Google's internal authentication mechanisms. By manipulating the "token:GAIA ID" pair, Lumma can continually regenerate cookies for Google services. What's particularly troubling is that this exploit remains effective even after users' passwords are reset, allowing for continued and potentially undetectable exploitation of user accounts and data," the CloudSEK team concluded.
