Title: Exploit on Google’s MultiLogin Endpoint Raises Security Concerns
Subtitle: Information Stealing Malware Exploits Undocumented Google OAuth Endpoint
Date: [Insert Date]
In a concerning development, cybersecurity company CloudSEK has discovered an undocumented Google OAuth endpoint named MultiLogin that is being exploited by information stealing malware. This exploit allows threat actors to hijack user sessions and maintain access to Google services, even after a password reset.
The critical exploit, which enables session persistence and cookie generation, was first revealed by a threat actor named PRISMA on October 20, 2023. Since then, this technique has been incorporated into various malware families, including Lumma, Rhadamanthys, Stealc, Meduza, RisePro, and WhiteSnake.
The MultiLogin authentication endpoint was initially designed to synchronize Google accounts across services in the Chrome web browser. However, the Lumma Stealer code specifically targets Chrome’s token_service table of WebData to extract tokens and account IDs. These stolen tokens are then combined with the MultiLogin endpoint to regenerate Google authentication cookies.
CloudSEK has identified three token-cookie generation scenarios depending on user activity. This method allows threat actors to maintain access to compromised Google accounts, enabling them to conduct malicious activities and steal sensitive information.
Upon being alerted about the exploit, Google recognized the attack method and advised users to log out of their impacted browsers to revoke stolen sessions. Google also assured users that they are constantly upgrading defenses against malware attacks and taking steps to secure compromised accounts.
To further enhance security, Google recommends users utilize Enhanced Safe Browsing in Chrome and change their passwords. These precautions will help mitigate the risks associated with this and other similar infostealers.
This exploit highlights the need for advanced security solutions to counter the ever-evolving cyber threats. As threat actors continue to develop new techniques, it is crucial for individuals and organizations alike to stay vigilant and adopt robust security measures to protect their online presence.
In conclusion, the exploitation of the undocumented Google OAuth endpoint, MultiLogin, by information stealing malware poses a serious security threat to users. The involvement of multiple malware families and the persistence of stolen sessions demand immediate attention from both users and Google. By following the recommended security measures, users can safeguard their accounts and help combat these evolving cyber threats.
