Attackers have been exploiting an undocumented Google OAuth endpoint to hijack user sessions and allow continuous access to Google services, even after a password reset.
CloudSEK researchers learned of the zero-day exploit in October, when Prisma made an announcement on its Telegram channel revealing a way to bypass typical security measures on Google account sessions.
OAuth enables applications to get access to data and resources to other trusted online services and sites based on permissions set by a user, and it is the mechanism responsible for the authentication handoff between the sites.
While the standard is certainly useful, it also presents risk to organizations if it's not implemented correctly, and there are a number of ways attackers can abuse vulnerable instances and the standard itself.
Security researchers have found flaws in its implementation that have exposed key online services platforms such as Booking.com and others to attack.
Others have used malicious OAuth apps of their creation to compromise Microsoft Exchange servers.
CloudSEK used Chromium's source code to identify the MultiLogin endpoint as an internal mechanism designed for synchronizing Google accounts across services, facilitating a consistent user experience by ensuring that browser account states align with Google's authentication cookies.
In this way, it's a critical part of Google's OAuth system, accepting vectors of account IDs and auth-login tokens, he explained.
CloudSEK analyzed the approach of Lumma - the first info stealer to develop a technique to use the exploit - to shed light on how this abuse works.
This pair, when used in conjunction with the MultiLogin endpoint, enables the regeneration of Google service cookies.
This blackboxing was likely done to serve two purposes: it masks the core mechanism of the exploit, thus making it harder for other threat actors to duplicate.
It also is less likely to trigger alarms in network security systems, according to CloudSEK, as standard security protocols tend to overlook encrypted traffic, mistaking it as legitimate.
Ultimately, manipulating the token:GAIA ID pair allowed Lumma to continuously regenerate cookies for Google services, an exploit that remained effective even after users have reset their passwords, CloudSEK found.
Lumma's subsequent adaptation of the exploit - which introduced the use of SOCKS proxies to circumvent Google's IP-based restrictions on cookie regeneration - inadvertently exposed some details of its techniques.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 02 Jan 2024 17:10:56 +0000