The creation of persistent Google cookies is made possible by token manipulation, which was first discovered in October 2023 by a developer going by the name PRISMA. The exploit allows an attacker to gain access to Google services even if a user resets their password.
After conducting reverse engineering of the exploit, CloudSEK found that it depends on the “MultiLogin” undocumented Google OAuth endpoint.
Google accounts can be synchronized across services thanks to an internal system called the MultiLogin endpoint.
To handle concurrent sessions or user profile transitions smoothly, this endpoint receives a vector containing account IDs and auth-login tokens.
On November 14, the exploit was observed being used by the Lumma Infostealer. Afterward, Rhadamanthys, Risepro, Meduza, Stealc Stealer, and most recently the White Snake were among the malware programs that incorporated the exploit.
The malware targets the token_service table of WebData in Chrome to retrieve tokens and account IDs from Chrome profiles that are logged in, the researchers found.
“Service (GAIA ID) and encrypted_token are the two key columns in this table. The encrypted tokens are unlocked with an encryption key kept in the UserData directory of Chrome’s Local State, much like how passwords are encrypted. reads the CloudSEK report that was released.
By altering the token: GAIA ID pair, the Lumma malware constantly generates new cookies for Google services. It was noted by the experts that the exploit remains active even after users have changed their passwords.
The report goes on to say that “this persistence in access allows for prolonged and potentially undetected exploitation of user accounts and data.”
The exploit may have originated from a penetration test on Google Drive’s services on Apple devices, according to an analysis of the user-agent string found in the source code as shown in Figure 7 (com.google.Drive/6.0.230903 iSL/3.4 iPhone/15.7.4 hw/iPhone9_4 (gzip)). Due to inadequate testing, the source of the exploit was discovered. wraps up the report.
As of right now, Google has not verified that threat actors are utilizing the MultiLogin endpoint’s zero-day vulnerability.
Changing the password on a Google account won’t protect it from a fresh hack
Security firm CloudSEK claims that a threat actor going by the handle PRISMA claimed to have created a sophisticated method for manipulating tokens to create persistent Google cookies, in addition to possessing a powerful zero-day exploit.
The report states that “this exploit enables continuous access to Google services, even after a user resets their password.”
OAuth 2.0, or “Open Authorization 2.0,” is a popular protocol for granting access to online resources while maintaining security. By accessing their social media accounts—such as Google or Facebook—it simplifies the process of confirming the identity of the user.
The exploit’s origin was located at an undocumented Google Oauth endpoint called “MultiLogin,” according to CloudSEK’s threat research team. This internal system makes sure that the authentication cookies from Google are in sync with browser account states by synchronizing Google accounts across services.
The endpoint in charge of regenerating the cookies was found more quickly because the exploit’s developer “expressed openness to cooperation.”
Session persistence and cookie generation are two of the exploit’s primary features. It was first included in a malware program known as Lumma Infostealer on November 14. The malware targets Chrome’s token_service table of WebData of logged-in Chrome profiles to exfiltrate the necessary secrets, tokens, and account IDs.
According to PRISMA, “the session remains valid even when the account password is changed, providing a unique advantage in bypassing typical security measures,” as stated in the report. “It is easier for the attacker to maintain unauthorized access if they can generate valid cookies in the event of a session disruption.”
A worrying trend of quick exploit integration among different Infostealer groups was observed by researchers. The exploitation of an undocumented Google OAuth2 MultiLogin endpoint, in their opinion, offers a textbook example of sophistication because the strategy relies on a subtle manipulation of the GAIA ID (Google Accounts and ID administration) token. Malware uses a layer of encryption to hide the exploit’s mechanism.
This method of exploitation shows a greater degree of proficiency and comprehension of Google’s internal authentication processes. Through the manipulation of the token: GAIA ID pair, Lumma can generate cookies for Google services on an ongoing basis. What’s even more concerning is that this exploit still works even if users change their passwords. “This continuous access permits extended and possibly undetected misuse of user accounts and information,” the CloudSEK group concluded.
Virtualattacks have not heard back from Google despite reaching out to them.
