A vulnerability related to cookies in Chrome allows attackers get bills from Googling others without permission. Malware that steals information actively exploits a Google OAuth vulnerability called MultiLogin to hijack user sessionss and let the continuous access to Google services even after resetting the password.

According to CloudSEK, the exploit (program or code that exploits a vulnerability) facilitates session persistence and cookie generation, allowing access to a valid session to be maintained in an unauthorized manner. This will allows attackers to install malware on computers “extract and decrypt login tokens stored in Chrome’s local database.”

The technique was first revealed by an attacker named PRISMA on October 20, 2023 on his Telegram channel. It has since been included in several malware-as-a-service (MaaS) stealing families, Lumma, Rhadamanthys, Stealc, Meduza, RisePro, and WhiteSnake.

Gmail, how the soon-to-be-20-year-old email came to be

The MultiLogin authentication endpoint is primarily designed to sync Google accounts between services when users log into their accounts in the Chrome web browser (i.e. profiles). The problem is that attackers can execute the same process repeatedly, even if the user changes their Google account password.

The company hasn’t fixed the damage yet, but is working to fix the problem, which was first discovered last October when the whole thing was posted on Telegram.

“Google is aware of recent reports of a malware family stealing session tokens,” the company told The Hacker News. “Attacks involving malware that steals cookies and tokens are not new; We routinely update our defenses against such techniques and protect users who fall victim to malware. In this case, Google has taken steps to protect all compromised accounts detected.”

The company also recommended that users enable enhanced safe browsing in Chrome to protect against phishing and malware downloads. (JO)