In a concerning revelation, multiple information-stealing malware families are exploiting an undocumented Google OAuth endpoint named “MultiLogin” to revive expired authentication cookies, providing unauthorized access to users’ Google accounts. Session cookies, designed to have a limited lifespan, usually expire, preventing prolonged unauthorized access.
However, threat actors have discovered a zero-day exploit allowing them to regenerate expired Google authentication cookies, even after legitimate owners have reset passwords or logged out. A threat actor named PRISMA initially disclosed the exploit and shared the method of restoring expired cookies on Telegram.
CloudSEK researchers further investigated the matter, revealing that the exploit leverages the “MultiLogin” endpoint, intended for synchronizing accounts across various Google services. The abused API endpoint, part of Gaia Auth API, accepts a vector of account IDs and auth-login tokens, enabling threat actors to extract crucial information for persistent access.
Malware including Lumma, Rhadamanthys, Stealc, Medusa, and RisePro have already adopted the Google OAuth endpoint exploit
The zero-day exploit works by extracting tokens and account IDs from Chrome profiles logged into a Google account. Stolen information includes service (GAIA ID) and encrypted_token. Using an encryption key stored in Chrome’s ‘Local State’ file, threat actors decrypt the stolen tokens. These decrypted tokens, paired with the MultiLogin endpoint, allow threat actors to regenerate expired Google Service cookies. It can effectively maintain persistent access to compromised accounts.
Threat actors can only regenerate the authentication cookie once if a user resets their Google password. However, they can repeatedly regenerate it if the password remains unchanged. Notably, multiple information-stealing malware, including Lumma, Rhadamanthys, Stealc, Medusa, RisePro, and Whitesnake, have adopted this exploit. These malware variants claim the ability to regenerate Google cookies using the API endpoint. It poses a significant threat to user account security.
Despite the exploitation being revealed and demonstrated, Google has not officially confirmed the abuse of the MultiLogin endpoint. The situation raises concerns about the scale of exploitation and the lack of mitigation efforts. The exploit’s adoption by multiple malware families emphasizes the urgent need for Google to address and patch this zero-day vulnerability. Here’s a quick demonstration of the process.