Malware retains access to compromised Google accounts even after password changes
Security researchers at CloudSEK have discovered the root of a zero-day exploit in Google account security that malicious hackers are using to log back into accounts on compromised devices even after a victim changes their password.
The exploit allows attackers to steal victims’ web browser session tokens through a malicious download or link that infects a PC with malware.
The Register reports the technique is known to be used use by six malware families dedicated to stealing victims’ info, including Lumma and Rhadamanthys.
CloudSEK determined that the root of the exploit was an as-yet undocumented Google OAuth endpoint called “MultiLogin”.
This endpoint’s job is to sync Google accounts across multiple devices. To do this, it accepts a vector of account IDs and auth-login tokens to manage concurrent sessions or to switch between user profiles.
The researchers reverse-engineered the info-stealer malware and determined that the account IDs and auth-login tokens were being grabbed from a table of WebData in the Chrome browser.
This table contains a service and encrypted token. The attackers decrypt the latter using a key stored in Chrome’s Local State file in the UserData directory.
The token pairs can consequently be used with MultiLogin to repeatedly regenerate Google service cookies for logging into accounts even after resetting their passwords.
Google told The Register it was aware of reports about the malware family stealing tokens, which it said was nothing new.
“We will continue to monitor the situation and provide updates as needed,” the company said.
It pointed out that stolen sessions could be invalidated if the user signs out of the affected browser or remotely revoked them on the user devices page.
“In the meantime, users should continually take steps to remove any malware from their computer, and we recommend turning on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads,” Google advised.