“Critical Google Cookies” Exploit Allows Persistent Access After Password Reset

The exploit done to the “Critical Google Cookies” involves stealing or manipulating user cookies which keeps users’ authentication data. Threat actors manipulate these cookies to unlawfully access user accounts. These threat actors exploit these cookies to:-

  1. Hijack Sessions
  2. Impersonate Users
  3. Control Sensitive Data
  4. Illegally Access the Websites & Apps

A developer from “PRISMA” came across a vital Google Cookie exploit in October 2023. The exploit allows hackers for continual access to the user data after a password reset as well. Later, a threat actor combined it into Lumma Infostealer, resulting in a ripple effect across several malware groups.

Recently, cybersecurity experts at “Cloudsek” identified a new Google Cookies flaw. It allows hacking groups to persistently access user accounts even after a password reset. While some researchers came across this critical exploit using “HUMINT”, “Multilogin” also discovered the root of this exploit, a theoretical Google OAuth endpoint.

About Google Cookies Exploit

On October 20, 2023, CloudSEK's XVigil discovered "PRISMA," revealing on Telegram a powerful zero-day fix for Google accounts:

  1. Session Persistence: Bypass security and remains valid even after changing a password.
  2. Cookie Generation: Generates legitimate cookies for continuous access.

The WebData token_service table in Chrome is the target of malware that reverses to extract:-

  1. Tokens
  2. Account IDs

In addition, the table includes important columns such as:-

  1. GAIA ID (service)
  2. Encrypted_token

Chrome's Local State encryption key, which is kept in the "UserData directory" and replicates password encryption, is used for decryption. The MultiLogin endpoint, an internal Google account synchronization mechanism, is exposed in the Chromium source code.

For a consistent user experience, it combines browser account states with Google's login cookies. Aside from this, there were other unsuccessful attempts to find it via Google Dork. In order to handle many sessions at once, the MultiLogin endpoint takes account IDs and auth-login tokens.

Cookies can be renewed thanks to this undocumented MultiLogin endpoint, which is an essential component of Google's OAuth system. Lumma's clever strategy encrypts the GAIA ID pair, black boxes the exploit, and adds secrecy to its fundamental workings. There are two benefits to black boxing, which we have listed here:

  1. Evasion of Detection
  2. Protection of the Exploit Technique

Through the use of a complex hack, Lumma can continuously regenerate cookies for Google services by manipulating the token: GAIA ID pair. Its persistence after a password reset is concerning because it permits:

  1. Unnoticed Account Exploitation
  2. Prolonged Account Exploitation

The encryption of the essential component highlights the protection and stealth of exploit techniques employed in malware creation and indicates a shift towards more sophisticated, stealth-focused cyber attacks.