Google MultiLogin Exploit Uncovered

In a startling revelation that underscores the relentless evolution of cyber threats, security experts have uncovered a sophisticated malware scheme that exploits an undocumented Google OAuth endpoint, known as MultiLogin, to hijack user sessions. This technique ensures that malicious actors maintain access to compromised Google accounts even after the victims reset their passwords.

Initially disclosed by an entity named PRISMA on October 20, 2023, this alarming exploit enables the generation of persistent Google cookies through token manipulation. Since its disclosure, various malware-as-a-service (MaaS) stealer families, including Lumma, Rhadamanthys, Stealc, Meduza, RisePro, and WhiteSnake, have swiftly incorporated this exploit into their nefarious activities.

According to research done by Pavan Karthick M, the exploit targets Chrome’s token_service table of WebData, extracting tokens and account IDs from Chrome profiles. This maneuver is essential for synchronizing Google accounts across services. When users sign in to Chrome, they often do not realize that their profile can contain sensitive information, such as bookmarks, history, and passwords. Users should only share their devices with trusted individuals and consider the use of multiple profiles for scenarios like sharing a computer or keeping different accounts distinct.

Google has acknowledged this attack method and recommended that users can thwart the continued unauthorized access by logging out of the affected browsers or remotely revoking them via their account’s security settings. Furthermore, they have advised empowering themselves with Enhanced Safe Browsing in Chrome, which offers significant protection against phishing and malware.

This year alone, an anonymous hacker identified as “irleaks” reportedly launched major cyberattacks against several companies in Iran using malware that leveraged this Google MultiLogin Exploit. The aftermath of these attacks saw over 160 million Iranian records exposed and up for sale.

As cybercriminals refine their techniques, traditional cybersecurity measures such as firewalls and VPNs are no longer adequate shields against these threats. Advanced security solutions are critical in countering such advanced tactics.

The landscape of cybersecurity is clearly undergoing a radical transformation. The Google MultiLogin exploit saga is a stark reminder that vigilance and sophisticated defense mechanisms are integral to safeguarding digital assets. It also underscores the need for continuous monitoring of technical vulnerabilities, in conjunction with a robust human intelligence effort, to stay ahead of emerging threats and ensure a more secure cyberspace.