Information-stealing malware is actively leveraging an undocumented Google OAuth endpoint called MultiLogin to hijack user sessions, allowing continuous access to Google services even after a password reset.
CloudSEK reports that this critical exploit facilitates session persistence and cookie generation, empowering threat actors to sustain access to a valid session unauthorizedly.
The exploit, first disclosed by a threat actor named PRISMA on October 20, 2023, via their Telegram channel, has been integrated into various malware-as-a-service (MaaS) stealer families like Lumma, Rhadamanthys, Stealc, Meduza, RisePro, and WhiteSnake.
The MultiLogin authentication endpoint is primarily designed to synchronize Google accounts across services when users sign in to their accounts in the Chrome web browser (profiles).
Reverse engineering of the Lumma Stealer code revealed that the technique targets Chrome’s token_service table of WebData to extract tokens and account IDs of chrome profiles logged in. This table contains two crucial columns: service (GAIA ID) and encrypted_token.
The stolen token:GAIA ID pair is then used with the MultiLogin endpoint to regenerate Google authentication cookies.
Three token-cookie generation scenarios were tested, as outlined by security researcher Pavan Karthick M:
- When the user is logged in with the browser, allowing the token to be used multiple times.
- When the user changes the password but remains signed in to Google, restricting the token to a single use as it’s already been used once to maintain the sign-in.
- If the user signs out of the browser, causing the token to be revoked and deleted from the browser’s local storage, but regenerated upon logging in again.
Google acknowledged the existence of this attack method, stating that users can revoke stolen sessions by logging out of the affected browser or remotely revoking them via the user’s devices page.
The company emphasized that Enhanced Safe Browsing in Chrome can protect against phishing and malware downloads. Additionally, users are advised to change passwords to prevent threat actors from exploiting password reset authentication flows and to monitor account activity for suspicious sessions.
Hudson Rock co-founder and chief technology officer, Alon Gal, noted that while Google’s measures are valuable, this incident underscores the need for more advanced security solutions to counter evolving cyber threats like infostealers, which are increasingly popular among cybercriminals.
