Cybersecurity firm CloudSEK has discovered a sophisticated hacking technique that can exploit a vulnerability in Google's OAuth2 authorization protocol. The exploit gives hackers access to Google accounts even if you change your password or IP.
The exploit was developed by a threat actor named PRISMA. It takes advantage of an undocumented Google endpoint called "MultiLogin" used internally to sync account states across Google services. By manipulating this endpoint, the exploit can regenerate valid Google session cookies indefinitely.
Here are a bit more details about the exploit and what you can do to protect yourself from it.
Malware Leverages Exploit for Stealthy Account Hijacking
According to a report by CloudSEK, PRISMA announced the exploit on a Telegram channel on October 20th. It was first observed in a malware called Lumma Infostealer on November 14. Lumma steals authentication tokens, account IDs, and other credentials from a victim's Chrome browser data. It uses these stolen credentials with the MultiLogin endpoint to generate persistent valid cookies for the victim's Google account.
The sophistication of this technique shows an advanced understanding of Google's internal systems. It’s much more than hijacking a user session, as the hacker can create cookies as much as they want to get into an account.
As of yet, it’s unclear if this exploit affects two-factor authentication (2FA), though. That’s why it’s crucial to enable 2FA as it serves as a strong defense mechanism to protect you from potential exploits and improve the overall security of your account.
Concerning Trend of Exploit Proliferation in Malware
The exploit signals a worrying trend of rapid integration of advanced exploits in cybercriminal malware. The ability to maintain stealthy unauthorized access allows prolonged exploitation of user accounts and data extraction.
CloudSEK believes this vulnerability in the OAuth2 protocol is particularly concerning, as it’s widely used to authenticate access across many internet services. Manipulation of its systems can potentially enable broad account exploitation beyond just Google accounts. Users should be vigilant about unauthorized access despite changing passwords, and Google should address this vulnerability urgently.