January 3, 2024 at 10:39AM
Information stealers are exploiting a Google authentication vulnerability to regenerate cookies and maintain access to accounts, despite password changes. The exploit, involving a MultiLogin endpoint and Chrome tokens, allows attackers to gain persistent access to Google services. The technique has been adopted by multiple infostealers, raising concerns about widespread cyberattacks.
The meeting notes highlight a new technique adopted by information stealers to restore Google cookies and compromise accounts even after victims change their passwords. This is done through a vulnerability in Google’s authentication process, allowing threat actors to regenerate persistent Google cookies and gain continuous access to Google services. The issue is related to the MultiLogin endpoint and the extraction of account IDs and tokens from Chrome. The ability to extract token-GAIA ID pairs from Google and use them with the MultiLogin endpoint enables the regeneration of Google cookies for persistent access. The notes also emphasize the potential impact on corporate email addresses and data security, as well as the alarming persistence of this exploit even after password resets. Additionally, efforts are being made to alert Google about the issue and seek a response. This is a critical security concern that requires immediate attention and proactive measures from all relevant parties.