Security News > 2023 > December > Malware abuses Google OAuth endpoint to ‘revive’ cookies, hijack accounts
Multiple information-stealing malware families are abusing an undocumented Google OAuth endpoint named "MultiLogin" to restore expired authentication cookies and log into users' accounts, even if an account's password was reset.
These cookies would allow the cybercriminals to gain unauthorized access to Google accounts even after the legitimate owners have logged out, reset their passwords, or their session has expired.
After reverse engineering the exploit, CloudSEK discovered it uses an undocumented Google OAuth endpoint named "MultiLogin," which is intended for synchronizing accounts across different Google services by accepting a vector of account IDs and auth-login tokens.
"This request is used to set chrome accounts in browser in the Google authentication cookies for several google websites," explains a description of the API endpoint in the Google Chrome source code.
Using the stolen token:GAIA pairs with the MultiLogin endpoint, the threat actors can regenerate expired Google Service cookies and maintain persistent access on compromised accounts.
Malware dev says they can revive expired Google auth cookies.
News URL
Related news
- Google OAuth Vulnerability Exposes Millions via Failed Startup Domains (source)
- Google OAuth flaw lets attackers gain access to abandoned accounts (source)
- Fake Homebrew Google ads target Mac users with malware (source)
- Crypto-stealing iOS, Android malware found on App Store, Google Play (source)
- Fake Google Chrome Sites Distribute ValleyRAT Malware via DLL Hijacking (source)
- Week in review: Exploited 7-Zip 0-day flaw, crypto-stealing malware found on App Store, Google Play (source)
- 300% increase in endpoint malware detections (source)
- SpyLend Android malware downloaded 100,000 times from Google Play (source)