December 29, 2023 at 11:16AM
Multiple malware families are exploiting an undocumented Google OAuth endpoint called “MultiLogin” to revive expired authentication cookies and infiltrate users’ accounts. This technique allows cybercriminals to gain unauthorized access to Google accounts, even after password resets or logouts. Despite being notified, Google has not responded to inquiries about this issue. The exploit has been adopted by multiple information-stealing malware developers, and its current exploitation and mitigation status remain uncertain.
The meeting notes highlight a concerning security issue where multiple information-stealing malware families are exploiting an undocumented Google OAuth endpoint named “MultiLogin” to regenerate expired authentication cookies and gain unauthorized access to users’ Google accounts, even after password resets and logouts. Despite efforts from threat intelligence firms like CloudSEK and Hudson Rock to shed light on this exploit, Google has not provided any response or confirmed abuse of the MultiLogin endpoint. Furthermore, malware developers have rushed to incorporate this exploit into their stealers, leading to at least six info-stealers being able to regenerate Google cookies using this API endpoint. Additionally, there are indications that tech giant Lumma has attempted to counteract Google’s mitigations for this exploit, suggesting that the issue is ongoing. Given the seriousness of this security vulnerability, it is important to carefully monitor any developments and stay informed about Google’s efforts to address this issue.