top of page

Google Cookies Exploit Grants Persistent Access Post-Password Reset

A severe exploit targeting Google cookies has surfaced, posing a substantial threat to user account security. This vulnerability allows threat actors to manipulate or pilfer user cookies, which hold essential authentication information. Exploiting this flaw enables unauthorized access to accounts, with potential malicious applications such as user impersonation, session hijacking, unauthorized access to sensitive information, and control over websites and applications.



In October 2023, developer PRISMA uncovered a significant vulnerability in Google cookies, allowing threat actors to maintain access even after a password reset. This exploit found its way into Lumma Infostealer, causing a ripple effect across various malware groups.


Cloudsek cybersecurity researchers recently identified this critical Google Cookies exploit, highlighting its potential to enable persistent access to Google accounts post-password reset. The exploit's origin was traced back to an undocumented Google OAuth endpoint within "MultiLogin."

PRISMA unveiled this potent 0-day solution on Telegram, featuring session persistence after a password change and cookie generation for uninterrupted access. The exploit targets Chrome's WebData token_service table, extracting tokens, account IDs, and other crucial columns.


Chromium's source code revealed the existence of the MultiLogin endpoint, an internal sync mechanism for Google accounts. Despite attempts to locate it using Google Dork, its exact location remained elusive. This undocumented MultiLogin endpoint, integral to Google's OAuth system, allows for the regeneration of cookies.


Lumma's sophisticated approach involves encrypting the token: GAIA ID pair, effectively blackboxing the exploit to protect its technique and evade detection. This encryption ensures continuous cookie regeneration for Google services, persisting even after a password reset. This alarming persistence enables prolonged and unnoticed account exploitation.


The encryption of this key component signifies a shift towards advanced, stealth-focused cyber threats, highlighting the emphasis on protecting exploit methodologies in malware development. Given the severe risk this critical exploit poses to user accounts, vigilance and prompt actions are essential to mitigate potential threats and safeguard personal information.


Comments


bottom of page