New Malware Stays Logged Into Stolen Google Accounts After Password Reset

Be careful with this 'malware': it can steal your Google account even if you change your password.

It has been in circulation for two months and takes advantage of a vulnerability in session cookies to access the account and steal personal data. Google claims to be working to solve the problem.

Session cookies make the life of any user much easier when browsing the Internet. Thanks to them, there is no need to enter your email address and password every time you want to log into a bank account or access any other service. However, they hide vulnerabilities that, in many cases, are exploited by cybercriminals, which is why big tech companies are increasingly betting more on passkeys . Google has been the last affected by this problem.

Last October 2023, a user known by the pseudonym PRISMA revealed on his Telegram channel that he had managed to restore expired Google authentication cookies . This allowed him to access Gmail accounts, even if the user had changed the password, and generate new session cookies with which to continue entering them in an unauthorized manner.

Shortly after, at the end of November 2023, the developers of Lumma , a malware classified as an infostealer (a type of Trojan intended to steal personal data), claimed to have been able to take advantage of this Google vulnerability. Other malicious programs such as Rhadamanthys, Stealc Stealer, Meduza or Risepro followed in their footsteps and did the same.

But how do they do it?

Cloudsek, a company specialized in cybersecurity, has been in charge of finding the modus operandi of these cybercriminals. Specifically, what they do is take advantage of an endpoint called MultiLogin from Google OAuth to log into user accounts without having to follow the authentication process. This was revealed in a publication on his official blog.

According to the Chromium source code, MultiLogin is an endpoint intended to allow the synchronization of the different Google services based on authentication cookies . To do this, it uses identification vectors and login tokens , which are essential for managing multiple sessions simultaneously and switching between different profiles. Its malicious use by the malware mentioned above is especially dangerous, since it offers the possibility of exploiting access in a prolonged and discreet manner.

In this sense, Google has taken action on the matter. Specifically, it indicates that it is “applying measures to protect compromised accounts that have been detected .” It also ensures that it “regularly updates the defenses against these types of techniques to protect users.” In any case, it is advisable to take extreme precautions, enable double access verification systems and even start using passkeys to make it difficult for cybercriminals.