{"id":23701,"date":"2024-01-13T13:10:49","date_gmt":"2024-01-13T21:10:49","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2024\/01\/13\/news-17431\/"},"modified":"2024-01-13T13:10:49","modified_gmt":"2024-01-13T21:10:49","slug":"news-17431","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2024\/01\/13\/news-17431\/","title":{"rendered":"Info-stealers can steal cookies for permanent access to your Google account"},"content":{"rendered":"\n

Hackers have found a way to gain unauthorized access to Google accounts, bypassing any multi-factor authentication (MFA)<\/a> the user may have set up. To do this they steal authentication cookies and then extend their lifespan. It doesn\u2019t even help if the owner of the account changes their password.<\/p>\n

Since the discovery of the exploit, numerous white and black hat security researchers have looked into and discussed the issue. As a result, the exploit is now built into various information stealers<\/a>.<\/p>\n

Cookies are used to track users across websites and remember information about their visit. Authentication cookies are in essence pieces of data that the browser sends to a site to identify the user and check whether they are logged in. Usually these cookies have an expiration date after which the user will be asked to log in.<\/p>\n

Persistent cookies enable a continuous access to Google services, even after the user resets their password. This exploit allows the generation of persistent Google cookies by using a Google Application Programming Interface (API) designed for synchronizing accounts across different Google services to bring back to life expired authentication cookies. <\/p>\n

A Google account provides access to Google services like Gmail, Google Calendar, and Google Maps, but also Google Ads and YouTube.<\/p>\n

In a statement Google responded:<\/p>\n

\n

\u201cWe routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.\u201d<\/p>\n<\/blockquote>\n

However, some info stealers have reportedly<\/a> already been updated to counter Google’s fraud detection measures. <\/p>\n

Sources familiar with this issue have told BleepingComputer<\/a> that Google believes the API is working as intended and and that no vulnerability is being exploited by the malware, which implies that Google isn’t working on a more permanent fix for this problem.<\/p>\n

Review devices<\/h3>\n

To check whether someone has accessed your account, you can view which computers, phones, or other devices that were signed in to your Google Account recently.<\/p>\n

    \n
  1. Go to your Google Account<\/a>.<\/li>\n
  2. On the left navigation panel, select Security<\/strong> .<\/li>\n
  3. On the Your devices<\/em> panel, select Manage all devices<\/strong>.<\/li>\n
  4. You’ll see devices where you\u2019re currently signed in to your Google Account or have been in the last few weeks. For more details, select a device or a session.<\/li>\n
  5. Devices or sessions where you\u2019re signed out will have a \u201cSigned out\u201d indication.<\/li>\n
  6. If multiple sessions appear for the same device type, they might all be on one device or multiple devices. Review their details, and if you\u2019re not sure all the sessions are from your devices, sign out on them.<\/li>\n<\/ol>\n

    Remediate<\/h3>\n

    If you think your account has been compromised, you will have to sign out of all browsers to invalidate the current session tokens and then reset your password. Next you will need to sign back in to generate new tokens. Only this stops the unauthorized access because it invalidates the old tokens.<\/p>\n

    The steps outlined below are for administrators who manage Google Accounts for a company, school, or other group. As an administrator, you can sign a user out of a managed Google Account, such as Google Workspace or Cloud Identity.<\/p>\n

    To reset a user’s sign-in cookies:<\/p>\n

      \n
    1. Sign in<\/a> to your Google Admin console<\/a>. Sign in using an administrator account<\/em>, not your current account.<\/li>\n
    2. In the Admin console, go to Menu<\/strong> > Directory > Users<\/strong>.<\/li>\n
    3. In the Users<\/strong> list, find the user. If you need help, go to Find a user account<\/a>.<\/li>\n
    4. Click the user’s name to open the user’s account page.<\/li>\n
    5. Click Security > Sign-in cookies > Reset<\/strong>.<\/li>\n<\/ol>\n

      What might help stop this abuse is if Google speeds up the announced end of tracking cookies<\/a>. Obviously, we think it’s best to keep these information stealers off your computer.<\/p>\n

      \n

      We don\u2019t just report on threats\u2014we remove them<\/strong><\/p>\n

      Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today<\/a>.<\/p>\n

      https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

      Several info-stealers have incorporated an exploit that allows them to gain permanent access to your Google account <\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[10599,10435,22783,1670,30709,10600,32],"class_list":["post-23701","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-authentication","tag-cookies","tag-exploits-and-vulnerabilities","tag-google","tag-info-stealers","tag-mfa","tag-news"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/23701","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=23701"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/23701\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=23701"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=23701"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=23701"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}