According to the security firm that discovered the exploit, hackers are already integrating it into info-stealing malware.
Cybercriminals have found a way to break into password-protected Google accounts without acquiring any of their target’s login credentials, a security firm has suggested.
Through the generation of persistent Google cookies, the firm says, hackers can retain “continuous access” to Google accounts, even if the password is later reset. Threat groups are already experimenting with the technology.
The news is likely to add further fuel to the ongoing debate surrounding how secure passwords, password managers, and log-in journeys actually are, which is already convincing companies like Google to switch from passwords to passkeys.
Hacking a Google Account Without the Password
Back in October 2023, using an AI digital risk platform, security firm CloudSEK spotted that a threat actor called PRISMA had announced a “potent 0-day solution addressing challenges with incoming sessions of Google accounts” on their Telegram channel.
The zero-day exploit means hackers can effectively gain unauthorized access to Google accounts via token manipulation methods. This is all due to a major flaw in the cookie generation process, rooted in an undocumented Google Oauth endpoint dubbed “MultiLogin”.
Cookies are bits of information stored on devices, typically downloaded from websites. They’re often used to facilitate account login journeys that don’t require users to input their login credentials over and over again, as well as to tailor the browsing experience to a user’s preferences more broadly.
The important feature of the zero-day solution is “session persistence”, which means a hacker’s session using a target Google account will continue to remain valid in the face of a password change.
This means the true owner of the Google account won’t be able to kick them out with a password reset. But further, it also allows any threat actor exploiting it to “generate valid cookies in the event of a session disruption”, which CloudSEK says enhances the attacker’s ability to “maintain unauthorized access.”
As of January 2024, Google is yet to roll out a comprehensive solution to the flaw, CloudSEK says.
Hacking Groups Catch On to Big Discovery
Unfortunately, hackers have already incorporated the exploit into their info-stealing malware to break into the Google accounts of unsuspecting victims.
After the exploit was made public, in mid-November of 2023, “a threat actor… later reverse-engineered this script and incorporated it into Lumma Infostealer… protecting the methodology with advanced blackboxing techniques” CloudSEK notes.
After that, the team behind the Lumma info stealer updated the exploit to make it even harder for Google’s detection systems to spot.
CloudSEK says the exploit has now spread “rapidly” among various other threat groups, making the risk to account holders even higher – Rhadamanthys, Risepro, Meduza, and Stealc Stealer have reportedly all incorporated the technique already.
What to do if Your Google Account has Been Compromised
A simple password reset can’t be used to beat this attack technique alone. CloudSEK recommends that users who believe their account may have been hacked first log out of all devices and browsers.
Only after following this step can a password reset involving a sufficiently complex and unique password be used to invalidate the threat actor’s old tokens.