Creation Center
  1. chief security officerHome
  2. intelligence gathering

Google Account OAuth2 Protocol Faces New Attack Threats

batsom intelligence gathering 8061 views

Re-generate Google services cookies using undocumented OAuth2 functionality, regardless of IP or password reset.

Google 帐户。此方法允许您通过重新生成 cookie 来维持有效的会话,即使在更改 IP 地址或密码后也是如此。 ,一种新的黑客方法允许攻击者利用 OAuth 2.0 授权协议功能来危害 GoogleCloudSEK CloudSEK的报告

A team of CloudSEK researchers discovered an attack using an undocumented Google Oauth access point called "MultiLogin". "MultiLogin" is an internal mechanism designed to synchronize Google accounts across various services, ensuring that the account state in the browser matches Google's authentication cookie.

expressed a willingness to cooperate, which accelerated the discovery of the access point responsible for re-generating the cookie. Utilizing the

Infostealer malware. Lumma's main functions include session persistence and cookie generation. The program is designed to extract the necessary secrets, tokens, and account IDs by attacking the token_service table in the WebData of the login Chrome profile.

"Sessions remain valid even if the account password is changed, which is a unique advantage in bypassing typical security measures," - the report quotes PRISMA, the author of the exploit.

Researchers have noted a worrying trend of rapid consolidation of vulnerability exploits among various cybercriminal groups. Exploiting Google's undocumented OAuth2 MultiLogin access point is a prime example of the sophistication, as the method relies on subtle manipulation of Google Account and ID Management (GAIA) tokens. The malware uses a cryptographic layer to hide the exploit mechanism.

This exploitation technique demonstrates a high degree of sophistication and understanding of Google's internal authentication mechanisms. By manipulating the "Token:GAIA ID" pair, Lumma can continually regenerate cookies for Google services, and, particularly troubling, the exploit remains in effect even if a user's password is reset, allowing for ongoing and potentially undetectable exploitation of user accounts and data. " The CloudSEK team concluded.

refer to:

https://www.cloudsek.com/blog/compromising-google-accounts-malwares-exploiting-undocumented-oauth2-functionality-for-session-hijacking

Original article by batsom, if reproduced, please credit: https://www.cncso.com/en/google-accounts-malwares-exploiting-undocumented-oauth2-session-hijacking.html

Like (0)
0 0

About the author

batsom

batsomgeneral user

7 posts
0 comments
1 followers
This person is very lazy and has left nothing behind~
Previous December 30, 2023 at 11:03 pm
Next December 31, 2023 6:00 pm

related suggestion