Google is downplaying reports of malware abusing an undocumented Google Chrome API to generate new authentication cookies when previously stolen ones have expired.
In late November 2023, BleepingComputer reported on two information-stealing malware operations named Lumma and Rhadamanthys, claiming they could restore expired Google authentication cookies stolen in attacks.
These cookies could then be loaded into threat actors' browsers to gain access to an infected user's Google accounts.
This API is believed to be designed for synchronizing accounts across different Google services by accepting a vector of account IDs and auth-login tokens.
BleepingComputer's attempts to learn more about this API from Google have been unsuccessful, and the only documentation can be found in Google Chrome's source code.
CloudSEK researcher Pavan Karthick told BleepingComputer that the information-stealing malware abusing this feature will now steal multiple tokens from Google Chrome.
These tokens include any authentication cookies for Google sites and a special token that can be used to refresh, or generate, new authentication tokens.
Google sees this API abuse as just your regular, garden-variety malware-based cookie theft.
Sources familiar with this issue have told BleepingComputer that Google believes the API is working as intended and and that no vulnerability is being exploited by the malware.
Google's solution to this issue is simply having users log out of their Chrome browser from the affected device or kill all active sessions via g.co/mydevices.
Doing so will invalidate the Refresh token and make it unusable with the API. As the info-stealing malware stole your credentials, you should also change your Google password out of caution, especially if you use the same credentials at other sites.
While these recommended steps will mitigate the impact of information-stealing malware infections, most people infected with this type of malware will not know when to do these steps.
When people are infected with information-stealing malware, they typically do not know until their accounts are accessed without permission and abused in some detectable manner.
An employee for Orange España, the country's second-largest mobile phone provider, had their passwords stolen by information-stealing malware.
BleepingComputer has asked Google what plans they have to mitigate this API abuse but has not received a response to these questions.
Malware dev says they can revive expired Google auth cookies.
Malware abuses Google OAuth endpoint to 'revive' cookies, hijack accounts.
Google Chrome now scans for compromised passwords in the background.
Google Chrome emergency update fixes 7th zero-day exploited in 2023.
Google Chrome's new cache change could boost performance.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Sat, 06 Jan 2024 16:41:41 +0000