Security News > 2024 > January > Google: Malware abusing API is standard token theft, not an API issue

Google: Malware abusing API is standard token theft, not an API issue
2024-01-06 16:40

Google is downplaying reports of malware abusing an undocumented Google Chrome API to generate new authentication cookies when previously stolen ones have expired.

Last week, cybersecurity firm CloudSEK revealed that these information-stealing malware operations are abusing a Google OAuth "MultiLogin" API endpoint to generate new, working authentication cookies when a victim's original stolen Google cookies expire.

BleepingComputer's attempts to learn more about this API from Google have been unsuccessful, and the only documentation can be found in Google Chrome's source code.

Sources familiar with this issue have told BleepingComputer that Google believes the API is working as intended and and that no vulnerability is being exploited by the malware.

Doing so will invalidate the Refresh token and make it unusable with the API. As the info-stealing malware stole your credentials, you should also change your Google password out of caution, especially if you use the same credentials at other sites.

"In the meantime, users should continually take steps to remove any malware from their computer, and we recommend turning on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads," Google further recommends.


News URL

https://www.bleepingcomputer.com/news/security/google-malware-abusing-api-is-standard-token-theft-not-an-api-issue/