Home Cyber Attack Multiple Malware Exploit Google Cookie Flaw For Session Hijacking

Multiple Malware Exploit Google Cookie Flaw For Session Hijacking

by Abeerah Hashim
An undocumented Google OAuth endpoint triggers Cookie regeneration exploit for session hijacking

Researchers have found numerous malware groups actively exploiting a Google Cookie vulnerability for session hijacking. The exploit not only allows access to the target account but also resists disruption by regenerating valid cookies for persistent access.

Google Cookie Exploit Active In The Wild

A recent report from CloudSEK highlights a new Google cookie exploit actively under attack. The exploit allows persistent access to the target Google account while bypassing the existing security measures.

The exploit first surfaced online via a Telegram channel, where the poster “PRISMA” shared details about the vulnerability in an undocumented Google OAuth endpoint “MultiLogin.” The threat actor posted about a zero-day allowing session hijacking and persistent access to the target account. As explained, the exploit allowed cookie regeneration in the event of session disruption, hence garnering significant attention from various threat actors.

While the exact origin of the exploit remained veiled initially, later, another threat actor behind the infamous Lumma infostealer reverse-engineered the script and found the vulnerable MultiLogin endpoint. The attackers then integrated the exploit in the malware with an advanced blackboxing approach.

Following Lumma, various other malware groups also started integrating the said feature in their malware, such as Rhadamanthys, Stealc, Meduza, RisePro, and WhiteSnake.

This ripple effect eventually caught CloudSEK’s attention, which then discovered the vulnerability by reverse-engineering the malware variant. Describing the vulnerable endpoint, the researchers stated in their report,

“The MultiLogin endpoint, as revealed through Chromium’s source code, is an internal mechanism designed for synchronizing Google accounts across services. It facilitates a consistent user experience by ensuring that browser account states align with Google’s authentication cookies.”

CloudSEK has shared a detailed technical analysis of this exploit in their report. These findings highlight the importance of continuous and vigilant monitoring for security vulnerabilities to prevent stealth attack strategies. Besides, the researchers also emphasize the importance of human intelligence sources to keep abreast of the latest threats.

Let us know your thoughts in the comments.

You may also like