A serious exploit affecting Google services that is being used to grant threat actors access to Google Accounts has been uncovered by cybersecurity company CloudSEK.

The exploit, which was identified in October 2023, enables continuous access to Google services even after a victim resets their password.

The malware has “rapidly spread” to a various malware groups, including Lumma, Rhadamanthys, Risepro, Meduza, Stealc, and White Snake.

Google account hijacking malware spreads rapidly

CloudSEK says the exploit allows the generation of persistent Google cookies through token manipulation, giving a threat actor continuous access to a victim’s account.

Since information about the vulnerability was exposed in October, a growing list of threat actors have been incorporating the exploit into their infostealers and malware to get access to Google accounts. At least six groups are now actively exploiting the vulnerability with their own malware.

CloudSEK’s analysis confirms that the Google OAuth endpoint, MultiLogin, which is designed to synchronize Google Accounts across services and give users a consistent user experience, is part of the key used by threat actors to break into Google Accounts.

Reverse engineering has revealed that the malware targets the token_service table of Chrome’s WebData to extract tokens and account IDs from Chrome profiles.

Threat actors can use the stolen information to regenerate session cookies, which are designed to have a limited lifespan, to unlock access to a victim’s account.

Reporting by Bleeping Computer reveals that one group, Lumma, has already updated the exploit to counteract Google’s mitigations, indicating that Google is already aware of the exploit. By the looks of it, though, Lumma has outsmarted the company – for now.

TechRadar Pro has asked Google for more information on how users can protect themselves and whether the company will release any additional protective measures. In the meantime, users can avoid a lot of cybersecurity problems just by being careful about what they download – a lot of malware is actually ‘voluntarily’ downloaded (intentionally or unintentionally) by the victim.

More from TechRadar Pro

Services MarketplaceListings, Bookings & Reviews

Entertainment blogs & Forums

Washing machine by domestic helper | 健樂護理有限公司 kl home care ltd.