Attackers Abuse Google OAuth Endpoint to Hijack User Sessions

Attackers have been exploiting an undocumented Google OAuth endpoint to hijack user sessions and allow continuous access to Google services, even after a password reset.
CloudSEK researchers learned of the zero-day exploit in October, when Prisma made an announcement on its Telegram channel revealing a way to bypass typical security measures on Google account sessions.
OAuth enables applications to get access to data and resources to other trusted online services and sites based on permissions set by a user, and it is the mechanism responsible for the authentication handoff between the sites.
While the standard is certainly useful, it also presents risk to organizations if it's not implemented correctly, and there are a number of ways attackers can abuse vulnerable instances and the standard itself.
Security researchers have found flaws in its implementation that have exposed key online services platforms such as Booking.com and others to attack.
Others have used malicious OAuth apps of their creation to compromise Microsoft Exchange servers.
CloudSEK used Chromium's source code to identify the MultiLogin endpoint as an internal mechanism designed for synchronizing Google accounts across services, facilitating a consistent user experience by ensuring that browser account states align with Google's authentication cookies.
In this way, it's a critical part of Google's OAuth system, accepting vectors of account IDs and auth-login tokens, he explained.
‍CloudSEK analyzed the approach of Lumma - the first info stealer to develop a technique to use the exploit - to shed light on how this abuse works.
This pair, when used in conjunction with the MultiLogin endpoint, enables the regeneration of Google service cookies.
This blackboxing was likely done to serve two purposes: it masks the core mechanism of the exploit, thus making it harder for other threat actors to duplicate.
It also is less likely to trigger alarms in network security systems, according to CloudSEK, as standard security protocols tend to overlook encrypted traffic, mistaking it as legitimate.
Ultimately, manipulating the token:GAIA ID pair allowed Lumma to continuously regenerate cookies for Google services, an exploit that remained effective even after users have reset their passwords, CloudSEK found.
Lumma's subsequent adaptation of the exploit - which introduced the use of SOCKS proxies to circumvent Google's IP-based restrictions on cookie regeneration - inadvertently exposed some details of its techniques.


This Cyber News was published on www.darkreading.com. Publication date: Tue, 02 Jan 2024 17:10:56 +0000


Cyber News related to Attackers Abuse Google OAuth Endpoint to Hijack User Sessions

Threat actors misuse OAuth applications to automate financially driven attacks - Threat actors are misusing OAuth applications as an automation tool in financially motivated attacks. Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious ...
1 year ago Microsoft.com
Attackers Abuse Google OAuth Endpoint to Hijack User Sessions - Attackers have been exploiting an undocumented Google OAuth endpoint to hijack user sessions and allow continuous access to Google services, even after a password reset. CloudSEK researchers learned of the zero-day exploit in October, when Prisma ...
11 months ago Darkreading.com
Attackers Target Microsoft Accounts to Weaponize OAuth Apps - Threat actors are abusing organizations' weak authentication practices to create and exploit OAuth applications, often for financial gain, in a string of attacks that include various vectors, including cryptomining, phishing, and password spraying. ...
1 year ago Darkreading.com
What Is OAuth 2.0? - Scope of Access: Before OAuth, the meal planning app might have access to data that the user did not actually wish to share. No Way to Revoke Access: Before OAuth, the user could not easily restrict or revoke the meal planning app's access to their ...
11 months ago Feeds.dzone.com
Hackers Abuse OAuth Applications to Automated Finacial Attacks - OAuth is an industry-standard protocol that allows third-party applications to access a user's data without exposing login credentials. This standard protocol facilitates secure authorization and authentication, commonly used to access resources on ...
1 year ago Cybersecuritynews.com
Unified Endpoint Management: What is it and What's New? - What began as Mobile Device Management has now transitioned through Mobile Application Management and Enterprise Mobility Management to culminate in UEM. This progression underscores the industry's response to the ever-growing challenges of modern IT ...
1 year ago Securityboulevard.com
Data thieves abuse Microsoft's 'verified publisher' status The Register - Miscreants using malicious OAuth applications abused Microsoft's "Verified publisher" status to gain access to organizations' cloud environments, then steal data and pry into to users' mailboxes, calendars, and meetings. According to researchers with ...
1 year ago Packetstormsecurity.com
What's new in the MSRC Report Abuse Portal and API - The Microsoft Security Response Center has always been at the forefront of addressing cyber threats, privacy issues, and abuse arising from Microsoft Online Services. Building on our commitment, we have introduced several key updates to the Report ...
5 months ago Msrc.microsoft.com
Attackers abuse OAuth apps to initiate large-scale cryptomining and spam campaigns - Attackers are compromising high-privilege Microsoft accounts and abusing OAuth applications to launch a variety of financially-motivated attacks. OAuth is an open standard authentication protocol that uses tokens to grant applications access to ...
1 year ago Helpnetsecurity.com
Researchers Claim Design Flaw in Google Workspace Puts Organizations at Risk - Google is disputing a security vendor's report this week about an apparent design weakness in Google Workspace that puts users at risk of data theft and other potential security issues. According to Hunters Security, a flaw in Google Workspace's ...
1 year ago Darkreading.com
Latest Information Security and Hacking Incidents - User data security has grown critical in an era of digital transactions and networked apps. The misuse of OAuth applications is a serious danger that has recently attracted attention in the cybersecurity field. OAuth is a widely used authentication ...
1 year ago Cysecurity.news
Microsoft Disables Verified Partner Accounts Used for OAuth Phishing - Microsoft has disabled multiple fraudulent, verified Microsoft Partner Network accounts for creating malicious OAuth applications that breached organizations cloud environments to steal email. In a joint announcement between Microsoft and Proofpoint, ...
1 year ago Bleepingcomputer.com
Money-grubbing crooks abuse OAuth apps for BEC, phishing The Register - Multiple miscreants are misusing OAuth to automate financially motivated cyber crimes - such as business email compromise, phishing, large-scale spamming campaigns - and deploying virtual machines to illicitly mine for cryptocurrencies, according to ...
1 year ago Go.theregister.com
Google: Malware abusing API is standard token theft, not an API issue - Google is downplaying reports of malware abusing an undocumented Google Chrome API to generate new authentication cookies when previously stolen ones have expired. In late November 2023, BleepingComputer reported on two information-stealing malware ...
11 months ago Bleepingcomputer.com
Threat Actors Exploit Microsoft Verified Publisher Status to Abuse OAuth Privileges - Researchers from cybersecurity firm Proofpoint have discovered a new threat campaign involving malicious third-party OAuth apps that are used to infiltrate organizations cloud environments. Threat actors abused Microsofts Verified publisher status, ...
1 year ago Csoonline.com
Malware abuses Google OAuth endpoint to 'revive' cookies, hijack accounts - Session cookies are a special type of browser cookie that contains authentication information, allowing a person to automatically log in to websites and services without entering their credentials. These types of cookies are meant to have a limited ...
11 months ago Bleepingcomputer.com
The Power of Endpoint Telemetry in Cybersecurity - Cisco - By filtering out unwanted data, this telemetry reduces noise and offers clear visibility into endpoint activities, including processes, parent-child process relationships, triggered events, files and network activity, whether malicious or benign. ...
2 months ago Feedpress.me
Microsoft: OAuth apps used to automate BEC and cryptomining attacks - Microsoft warns that financially-motivated threat actors are using OAuth applications to automate BEC and phishing attacks, push spam, and deploy VMs for cryptomining. OAuth is an open standard for granting apps secure delegated access to server ...
1 year ago Bleepingcomputer.com
Google Cloud Next 2024: New Data Center Chip Joins Ecosystem - Google Cloud announced a new enterprise subscription for Chrome and a bevy of generative AI add-ons for Google Workspace during the Cloud Next '24 conference, held in Las Vegas from April 9 - 11. Overall, Google Cloud is putting its Gemini generative ...
8 months ago Techrepublic.com
Ahead of Regulatory Wave: Google's Pivotal Announcement for EU Users - Users in the European Union will be able to prevent Google services from sharing their data across different services if they do not wish to share their data. Google and five other large technology companies must comply with the EU's Digital Markets ...
11 months ago Cysecurity.news
An Overview of OAuth Explaining the Basics of Open Authorization - OAuth is an open standard authorization framework that enables users to securely share account information with third-party services, such as Facebook and Google, without having to reveal their credentials. It was first released in 2007 for the ...
1 year ago Heimdalsecurity.com
Google Workspace Announced New Password Policies, What is Changing - Google Workspace will no longer support the sign-in method for third-party apps or devices that require users to share their Google username and password. Google Workspace has announced new password policies that will impact how users and third-party ...
2 months ago Gbhackers.com
Hackers Abused Microsoft's "Verified Publisher" OAuth Apps to Hack Corporate Email Accounts - Microsoft on Tuesday said it took steps to disable fake Microsoft Partner Network accounts that were used for creating malicious OAuth applications as part of a malicious campaign designed to breach organizations' cloud environments and steal email. ...
1 year ago Thehackernews.com
Microsoft Shares New Guidance in the Wake of 'Midnight Blizzard' Cyberattack - Microsoft has released new guidance for organizations on how to protect against persistent nation-state attacks like the one disclosed a few days ago that infiltrated its own corporate email system. A key focus of the guidance is on what ...
10 months ago Darkreading.com
DeleFriend Weakness Puts Google Workspace Security at Risk - Security researchers have uncovered a new design flaw in the Google Workspace Domain-Wide Delegation feature. Named "DeleFriend" by Hunters' Team Axon, the vulnerability could potentially expose Google Workspace to unauthorized access and privilege ...
1 year ago Infosecurity-magazine.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)