HomeWinBuzzer NewsGoogle OAuth Exploit Allows Persistent Cookie Generation

Google OAuth Exploit Allows Persistent Cookie Generation

Hackers hijack Google accounts with "zero-day" exploit, even after password reset. Malware manipulates cookies to maintain access, putting millions at risk.

-

Security experts have identified an exploit which leverages an undocumented Google OAuth endpoint to regenerate persistent Google cookies. CloudSEK's analysis reveals that the exploit manipulates token:GAIA ID pairs to sustain access to Google services, posing significant security threats to user accounts.

Malware Leveraging Zero-Day Exploit

The exploit was first detected by a developer with the pseudonym PRISMA in October 2023. Threat actors are exploiting this zero-day to breach security on several fronts. Malware such as Lumma Infostealer, having incorporated the exploit on November 14, have paved the way for similar malware to follow suit. Researchers have observed other malicious software integrating the exploit, including Rhadamanthys, Risepro, Meduza, Stealc Stealer, and the recently spotted White Snake.

A Closer Look at the Malware Mechanism

The attacking malware targets Chrome's token_service table in the WebData to extract tokens and account IDs. By decrypting the encrypted tokens with a key from Chrome's Local State directory, similar to the storage method for passwords, the malware can continuously regenerate cookies. CloudSEK points out that even a user's password reset would not impede the exploit, hinting at a concerning level of persistence and risk of unnoticed exploitation.

Speculation suggests that a penetration test on Google Drive's services on devices could be the origin of the exploit. The analysis concludes that an imperfect testing of Google Drive has inadvertently revealed this exploit. As of this report, Google has not confirmed the active use of this zero-day in its MultiLogin endpoint. Experts continue to monitor the situation and recommend vigilance for signs of suspicious account activity.

Recent OAuth App Warning from Microsoft

Last month, Microsoft security how hackers are leveraging OAuth apps for attacks.  revealed how threat actors misuse OAuth applications to automate financially driven attacks. The post explained how these attacks work, what are some examples of recent attacks, and what are some recommendations for customers and organizations to protect themselves from OAuth token abuse.

Threat actors can create malicious OAuth applications and trick users into granting them access to their online accounts. Once the access is granted, the threat actors can use the OAuth tokens to access user data, such as email, contacts, and financial information, from various cloud services and applications.

Luke Jones
Luke Jones
Luke has been writing about Microsoft and the wider tech industry for over 10 years. With a degree in creative and professional writing, Luke looks for the interesting spin when covering AI, Windows, Xbox, and more.

Recent News

Mastodon