Well, here’s a bit of a shocker. Multiple malware families are having a field day with an undocumented Google OAuth endpoint. They’ve named it “MultiLogin”. What’s it do? It revives expired authentication cookies. This gives them unauthorized access to users’ Google accounts. Not cool, right?
Session cookies, those little digital crumbs, are designed to have a limited lifespan. They usually expire, which is a good thing. It stops prolonged unauthorized access. But, here’s the kicker. Threat actors have found a zero-day exploit. This lets them regenerate expired Google authentication cookies. And they can do this even after the legit owners have reset passwords or logged out.
The exploit was first disclosed by a threat actor named PRISMA. They shared the method of restoring expired cookies on Telegram. CloudSEK researchers dug deeper into the matter. They found that the exploit uses the “MultiLogin” endpoint. This is meant for syncing accounts across various Google services.
The abused API endpoint is part of Gaia Auth API. It accepts a vector of account IDs and auth-login tokens. This lets threat actors extract crucial info for persistent access.
Now, here’s a headline for you: “Malware including Lumma, Rhadamanthys, Stealc, Medusa, and RisePro have already adopted the Google OAuth endpoint exploit”.
The zero-day exploit works by extracting tokens and account IDs from Chrome profiles logged into a Google account. The stolen info includes service (GAIA ID) and encrypted_token. Threat actors decrypt the stolen tokens using an encryption key stored in Chrome’s ‘Local State’ file.
These decrypted tokens, when paired with the MultiLogin endpoint, let threat actors regenerate expired Google Service cookies. This means they can maintain persistent access to compromised accounts.
Threat actors can only regenerate the authentication cookie once if a user resets their Google password. But, if the password remains unchanged, they can regenerate it repeatedly. Multiple information-stealing malware, including Lumma, Rhadamanthys, Stealc, Medusa, RisePro, and Whitesnake, have adopted this exploit. They claim they can regenerate Google cookies using the API endpoint. This is a significant threat to user account security.
Despite the exploitation being revealed and demonstrated, Google hasn’t officially confirmed the abuse of the MultiLogin endpoint. This raises concerns about the scale of exploitation and the lack of mitigation efforts. The exploit’s adoption by multiple malware families emphasizes the urgent need for Google to address and patch this zero-day vulnerability.
Here’s a quick demonstration of the process.