New malware attack is so nasty it can hijack your Google account using expired cookies — how to stay safe
Info-stealing malware strains have begun using expired cookies to take over Google accounts
Several info-stealing malware strains are actively exploiting an undocumented Google OAuth endpoint named MultiLogin to take over Google accounts even after a password reset.
As reported by BleepingComputer, this exploit allows certain malware strains to restore expired authentication cookies which are then used to login to victims’ Google accounts.
Of the various browser cookies used on the web, session cookies are a special type of cookie that contain authentication information. If you’ve ever opened up your browser and went right to a site you previously logged in on, this is done using session cookies. However, these types of cookies are designed to have a short lifespan before expiring so that they can’t be used by hackers to indefinitely login to stolen accounts.
Back in November of last year, the cybercriminals behind the Lumma and Rhadamanthys info-stealing malware strains claimed that they were able to restore expired Google Authentication cookies that were stolen in cyberattacks. With these cookies in hand though, a hacker can gain unauthorized access to your Google account even after you’ve logged out, reset your password or their session has expired.
Reader Offer: Save 68% on Aura identity theft protection
Aura provides everything you need to protect your identity, data and devices online with malware protection, a password manager and a VPN all included. Tom's Guide readers can save up to 68% when they sign up.
Preferred partner (What does this mean?)
Restoring expired Google Authentication cookies
In an effort to better explain how hackers are using this new zero-day exploit, the cybersecurity firm CloudSEK has released a new report.
In the report, the firm’s researchers explain that the exploit was first revealed by a threat actor called PRISMA in a Telegram post back in October of last year. In the post, they explained that they had found a way to restore Google authentication cookies that had expired.
From here, CloudSEK then reverse engineered the exploit which led to the discovery that it uses an undocumented Google OAuth endpoint named MultiLogin which is used to synchronize accounts across a number of different Google services.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Here at Tom’s Guide our expert editors are committed to bringing you the best news, reviews and guides to help you stay informed and ahead of the curve!
By abusing this endpoint, info-stealing malware is able to extract tokens and account IDs from Chrome profiles that are logged into a Google account. Within this stolen information, there are two critical pieces of data: a GAIA ID and encrypted tokens. These encrypted tokens are decrypted using an encryption stored within Chrome’s “Local State” file and this encryption key can also be used to decrypt any saved passwords in a victim’s browser.
By using the stolen tokens and Google’s MultiLogin endpoint, hackers can regenerate expired Google Service cookies and maintain persistent access to compromised accounts. It’s worth noting though that an authentication cookie can only be regenerated once if a user resets their Google password. If they don’t though, it can be regenerated multiple times.
How to stay safe from attacks exploiting this zero-day flaw
Fortunately, Google is aware of this issue and in a statement to The Hacker News, a company spokesperson has provided further details along with some tips on how users can protect themselves while using Chrome.
Stealing cookies and session tokens is nothing new and as the search giant points out, it has “taken action to secure any compromised accounts detected.” Likewise, Google’s spokesperson points out that “simply signing out of the affected browser” will revoke a user’s session cookies. At the same time, the company recommends that users turn on Enhanced Safe Browsing in Chrome for additional protection against malware and phishing attacks.
You should also regularly change your Google password to keep your account safe from hackers. If you have a hard time coming up with new passwords, a password generator can help and all of the best password managers also offer this feature. As for protecting yourself and your devices from malware and hackers, you should be using the best antivirus software on your PC, the best Mac antivirus software on your Apple computers and one of the best Android antivirus apps on your Android smartphone.
Now that hackers have figured out how to add the ability to restore session cookies to their malware, expect more malware strains to adopt this feature as Google works to crack down on cookie and token theft in Chrome.
More from Tom's Guide
Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.