Follow Us on Google News
Reports from BleepingComputer, CloudSEK, and Hudson Rock have highlighted a critical vulnerability affecting Google Chrome users, allowing access to Google accounts and login tokens. This malware bypasses Chrome’s security and can extract and decrypt token from the local database. It can bypass two-factor authentication and continues to gain access even after changing passwords.
However Google is now looking to downplay the importance of the vulnerability, essentially stating it’s no more than simple session cookie theft.
In a statement shared with BleepingComputer, the search engine giant said: “Google is aware of recent reports of a malware family stealing session tokens. Attacks involving malware that steal cookies and tokens are not new; we routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.”
Citing people familiar with the matter, the publication further stated that Google doesn’t really see this as a vulnerability, and instead believes the API works as intended. The search engine behemoth advised users to log out of their Chrome browser and kill all active sessions via g.co/mydevices, as that will invalidate the Refresh token.
What is this new malware?
In late November 2023, BleepingComputer reported on two information-stealing malware operations named Lumma and Rhadamanthys, claiming they could restore expired Google authentication cookies stolen in attacks.
These cookies could then be loaded into threat actors’ browsers to gain access to an infected user’s Google accounts.
Since then, four other information stealers have adopted the same technique, including Stealc on December 1, Medusa on December 11, RisePro on December 12, and Whitesnake on December 26.
Last week, cybersecurity firm CloudSEK revealed that these information-stealing malware operations are abusing a Google OAuth “MultiLogin” API endpoint to generate new, working authentication cookies when a victim’s original stolen Google cookies expire.
This API is believed to be designed for synchronizing accounts across different Google services by accepting a vector of account IDs and auth-login tokens.
CloudSEK researcher Pavan Karthick told BleepingComputer that the information-stealing malware abusing this feature will now steal multiple tokens from Google Chrome.
These tokens include any authentication cookies for Google sites and a special token that can be used to refresh, or generate, new authentication tokens.
As regular authentication cookies expire after a certain amount of time, they eventually become unusable to the threat actor.
However, as long as the user has not logged out of Google Chrome or revoked all sessions associated with their accounts, the threat actors can use this special “Refresh” token to generate brand new authentication tokens when the previous ones have expired.