Info-stealers can steal cookies for permanent access to your Google account

Hackers have found a way to gain unauthorized access to Google accounts, bypassing any multi-factor authentication (MFA) the user may have set up. To do this they steal authentication cookies and then extend their lifespan. It doesn’t even help if the owner of the account changes their password.

Since the discovery of the exploit, numerous white and black hat security researchers have looked into and discussed the issue. As a result, the exploit is now built into various information stealers.

Cookies are used to track users across websites and remember information about their visit. Authentication cookies are in essence pieces of data that the browser sends to a site to identify the user and check whether they are logged in. Usually these cookies have an expiration date after which the user will be asked to log in.

Persistent cookies enable a continuous access to Google services, even after the user resets their password. This exploit allows the generation of persistent Google cookies by using a Google Application Programming Interface (API) designed for synchronizing accounts across different Google services to bring back to life expired authentication cookies.

A Google account provides access to Google services like Gmail, Google Calendar, and Google Maps, but also Google Ads and YouTube.

In a statement Google responded:

“We routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.”

However, some info stealers have reportedly already been updated to counter Google’s fraud detection measures.

Sources familiar with this issue have told BleepingComputer that Google believes the API is working as intended and and that no vulnerability is being exploited by the malware, which implies that Google isn’t working on a more permanent fix for this problem.

Review devices

To check whether someone has accessed your account, you can view which computers, phones, or other devices that were signed in to your Google Account recently.

  1. Go to your Google Account.
  2. On the left navigation panel, select Security .
  3. On the Your devices panel, select Manage all devices.
  4. You’ll see devices where you’re currently signed in to your Google Account or have been in the last few weeks. For more details, select a device or a session.
  5. Devices or sessions where you’re signed out will have a “Signed out” indication.
  6. If multiple sessions appear for the same device type, they might all be on one device or multiple devices. Review their details, and if you’re not sure all the sessions are from your devices, sign out on them.

Remediate

If you think your account has been compromised, you will have to sign out of all browsers to invalidate the current session tokens and then reset your password. Next you will need to sign back in to generate new tokens. Only this stops the unauthorized access because it invalidates the old tokens.

The steps outlined below are for administrators who manage Google Accounts for a company, school, or other group. As an administrator, you can sign a user out of a managed Google Account, such as Google Workspace or Cloud Identity.

To reset a user’s sign-in cookies:

  1. Sign in to your Google Admin console. Sign in using an administrator account, not your current account.
  2. In the Admin console, go to Menu > Directory > Users.
  3. In the Users list, find the user. If you need help, go to Find a user account.
  4. Click the user’s name to open the user’s account page.
  5. Click Security > Sign-in cookies > Reset.

What might help stop this abuse is if Google speeds up the announced end of tracking cookies. Obviously, we think it’s best to keep these information stealers off your computer.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

https://blog.malwarebytes.com/feed/