Google Account. This method allows you to maintain a valid session by regenerating cookies, even after changing your IP address or password. A newhackerMethods allow attackers to exploit OAuth 2.0 Authorization Protocol functionality to compromise GoogleCloudSEK CloudSEK Reports
A team of CloudSEK researchers discovered an attack using an undocumented Google Oauth access point called "MultiLogin". "MultiLogin" is an internal mechanism designed to synchronize Google accounts across various services, ensuring that the account state in the browser matches Google's authentication cookie.
expressed a willingness to cooperate, which accelerated the discovery of the access point responsible for re-generating the cookie. Utilizing the
Infostealer malware. Lumma's main functions include session persistence and cookie generation. The program is designed to extract the necessary secrets, tokens, and account IDs by attacking the token_service table in the WebData of the login Chrome profile.
"Sessions remain valid even if the account password is changed, which is a unique advantage in bypassing typical security measures," - the report quotes PRISMA, the author of the exploit.
Researchers have noted a worrying trend of rapid consolidation of vulnerability exploits among various cybercriminal groups. Exploiting Google's undocumented OAuth2 MultiLogin access point is a prime example of the sophistication, as the method relies on subtle manipulation of Google Account and ID Management (GAIA) tokens. The malware uses a cryptographic layer to hide the exploit mechanism.
This exploitation technique demonstrates a high degree of sophistication and understanding of Google's internal authentication mechanisms. By manipulating the "Token:GAIA ID" pair, Lumma can continually regenerate cookies for Google services, and, particularly troubling, the exploit remains in effect even if a user's password is reset, allowing for ongoing and potentially undetectable exploitation of user accounts and data. " The CloudSEK team concluded.
refer to:
https://www.cloudsek.com/blog/compromising-google-accounts-malwares-exploiting-undocumented-oauth2-functionality-for-session-hijacking
Original article by batsom, if reproduced, please credit: https://cncso.com/en/google-accounts-malwares-exploiting-undocumented-oauth2-session-hijacking.html