‘Exploit makes it possible to take over Google accounts, even after changing password’

Spread the love

Security companies Hudson Rock and CloudSek are warning of a zero-day vulnerability that makes it possible to restore expired session cookies from Google Chrome accounts. This allows attackers to gain access to those accounts even after the user has changed the password.

There are several malware families in circulation that can exploit the OAuth2 authorization protocol Hudson Rock and CloudSek. This makes it possible to continuously regenerate previous, valid session cookies. These cookies contain authentication information and serve to allow the user to automatically log in to websites and services, without having to enter their details each time. Normally, these cookies are only intended to be accessible temporarily and will no longer work if users change their login details. However, with this exploit, once attackers gain access to a Google Chrome account, they can continue to have unauthorized access even after the user changes their password, logs out, or after the session expires.

The research teams found the exploit in Lumma’s Infostealer malware last month. As a result, they discovered that the vulnerability is in the Google oAuth endpoint MultiLogin. This mechanism synchronizes Google accounts from multiple services with each other using a vector of account IDs and login tokens. If Infostealer is installed on a desktop, this malware can exploit the endpoint by filtering out tokens and IDs. These can then be decrypted using the encryption key stored in Chrome’s Local State file. With the account IDs and tokens it is then possible to send a request to the MultiLogin API with which the session cookies can be regenerated.

CloudSek reverse-engineered the exploit and managed to use it itself to restore expired cookies, the security company said to Bleeping Computer. The company does state that the cookies can only be regenerated once after changing the password. Access to the account cannot be maintained for long after a password change.

The exploit would be actively exploited. This is not only done by Lumma, other malware groups are also said to be using the vulnerability to their advantage. There are reportedly at least six groups working on regenerating Chrome cookies so far. Google has not yet indicated that it is aware of the zero-day vulnerability. The exploit has not yet been closed at the time of writing.

A hacker shared the above video demonstrating the exploit with the security companies

You might also like
Exit mobile version