top of page

Malware Exploits Google's OAuth to Hijack User Accounts, Bypassing Password Resets

According to CloudSEK, a series of malware has been exploiting a lesser-known Google OAuth endpoint, dubbed "MultiLogin", to rejuvenate expired authentication cookies and infiltrate user accounts. This technique remains effective even after password resets, highlighting a significant security loophole.

Session cookies, which store authentication details to facilitate seamless access to websites and services, typically have a short lifespan to prevent misuse. However, the recent discovery points to a persistent vulnerability. Two malware strains, Lumma and Rhadamanthys, have been particularly noted for their ability to reactivate stolen Google authentication cookies, thereby breaching Google account security post-password reset or account logout.

Adding to the concern, CloudSEK's research reveals the depth of this zero-day exploit's impact. The exploit's existence came to light through a Telegram post by a hacker known as PRISMA, claiming the discovery of a method to restore expired Google cookies.

CloudSEK's reverse engineering efforts unveiled that the exploit leverages "MultiLogin", an undocumented Google OAuth endpoint designed for synchronizing accounts across Google's various services. This endpoint accepts a combination of account IDs and auth-login tokens, and its abuse by malware can lead to the regeneration of expired Google Service cookies, ensuring continued unauthorized access to compromised accounts.

The gravity of the situation is further underlined by the rapid adoption of this exploit among other malware developers. The list includes Stealc, Medusa, RisePro, and Whitesnake, all claiming the capability to regenerate Google cookies using this API endpoint.


bottom of page