Why this exploit is different from anything we've seen before.
According to a report presented by CloudSEK, the new hacking method allows attackers to exploit the functionality of the OAuth 2.0 authorization protocol to compromise Google accounts. This method allows you to maintain valid sessions by regenerating cookies, even after changing your IP address or password.
The attack, carried out using an undocumented Google Oauth access point called "MultiLogin", was identified by a team of CloudSEK researchers. "MultiLogin" is an internal mechanism designed to synchronize Google accounts through various services, which ensures that the account states in the browser correspond to Google authentication cookies.
It is noted that the developer of the exploit expressed his willingness to cooperate, which accelerated the detection of the access point responsible for the regeneration of cookies.
The exploit was integrated into the Lumma Infostealer malware on November 14. Key features of Lumma include session persistence and cookie generation. The program is aimed at extracting the necessary secrets, tokens, and account IDs by attacking the token_service table in the WebData of logged-in Chrome profiles.
"The session remains valid even when the account password is changed, which is a unique advantage in circumventing typical security measures," the report quotes the words of PRISMA, the author of the exploit.
The researchers note an alarming trend towards rapid integration of exploits among various cybercrime groups. Operating an undocumented Google OAuth2 MultiLogin access point is a prime example of complexity, as the approach is based on fine manipulation of the GAIA ID token (Google Accounts and ID administration). The malware hides the exploit mechanism using an encryption layer.
This exploitation technique demonstrates a high level of complexity and understanding of Google's internal authentication mechanisms. By manipulating the "token: GAIA ID" pair, Lumma can permanently regenerate cookies for Google services. Especially worryingly, this exploit remains effective even after users 'passwords are reset, allowing for prolonged and potentially undetectable exploitation of user accounts and data," the CloudSEK team concluded.
According to a report presented by CloudSEK, the new hacking method allows attackers to exploit the functionality of the OAuth 2.0 authorization protocol to compromise Google accounts. This method allows you to maintain valid sessions by regenerating cookies, even after changing your IP address or password.
The attack, carried out using an undocumented Google Oauth access point called "MultiLogin", was identified by a team of CloudSEK researchers. "MultiLogin" is an internal mechanism designed to synchronize Google accounts through various services, which ensures that the account states in the browser correspond to Google authentication cookies.
It is noted that the developer of the exploit expressed his willingness to cooperate, which accelerated the detection of the access point responsible for the regeneration of cookies.
The exploit was integrated into the Lumma Infostealer malware on November 14. Key features of Lumma include session persistence and cookie generation. The program is aimed at extracting the necessary secrets, tokens, and account IDs by attacking the token_service table in the WebData of logged-in Chrome profiles.
"The session remains valid even when the account password is changed, which is a unique advantage in circumventing typical security measures," the report quotes the words of PRISMA, the author of the exploit.
The researchers note an alarming trend towards rapid integration of exploits among various cybercrime groups. Operating an undocumented Google OAuth2 MultiLogin access point is a prime example of complexity, as the approach is based on fine manipulation of the GAIA ID token (Google Accounts and ID administration). The malware hides the exploit mechanism using an encryption layer.
This exploitation technique demonstrates a high level of complexity and understanding of Google's internal authentication mechanisms. By manipulating the "token: GAIA ID" pair, Lumma can permanently regenerate cookies for Google services. Especially worryingly, this exploit remains effective even after users 'passwords are reset, allowing for prolonged and potentially undetectable exploitation of user accounts and data," the CloudSEK team concluded.
