Google: Malware abusing API is standard token theft, not an API issue

Google: Malware abusing API is standard token theft, not an API issue

January 6, 2024 at 11:46AM

Malware is exploiting an undocumented Google Chrome API to generate new authentication cookies from stolen ones. Multiple malware operations are using this technique to gain access to users’ Google accounts through the API, and Google has downplayed the severity of the issue. The company urges affected users to take precautionary measures. Google has not announced plans to restrict access to the API.

The meeting notes discuss the abuse of an undocumented Google Chrome API by information-stealing malware operations. The malware abuse revolves around generating new authentication cookies using the Google OAuth “MultiLogin” API endpoint to gain unauthorized access to Google accounts.

Despite multiple information-stealing malware operations adopting this technique, Google appears to downplay the severity of the issue and reassures that they are constantly improving their defenses. The company’s recommended action for affected users is to log out of Chrome or invalidate all active sessions via g.co/mydevices. This would render the Refresh token unusable with the API. Furthermore, Google advises users to change their passwords and remove any malware from their devices. Although Google claims to have detected and notified impacted users, the issue remains concerning, particularly as most infected individuals are unaware of their compromised state.

The BleepingComputer team has made attempts to learn more about the undocumented API from Google but has faced challenges in obtaining a response.

The notes also highlight the significant impact of information-stealing malware infections, citing a real-world example of stolen credentials being misused to cause Internet outages for a major mobile provider. This brings to light the potential far-reaching consequences of the API abuse.

The meeting notes suggest a need for stronger measures to restrict the abuse of this API by malware-as-a-service operations, as well as the necessity of a more effective solution for future victims who may not be aware of their compromised accounts.

In conclusion, while Google’s actions and recommendations aim to mitigate the impact of the API abuse, there are concerns regarding the effectiveness of these measures and the lack of a more proactive approach from Google to address the root cause of the issue.

Full Article