Facepalm: OAuth is an open standard designed to share account information with third-party services, providing users with a simple way to access apps and websites. Google, one of the companies offering OAuth authentication to its users, is seemingly hiding some dangerous "secrets" in the protocol.
A malware developer was recently able to discover one of Google's OAuth secrets, a previously unknown feature named "MultiLogin" that is responsible for synchronizing Google accounts across different services. MultiLogin accepts a vector of account ID and auth-login tokens, using such data for managing simultaneous sessions or seamlessly switching between user profiles.
MultiLogin is a Chromium feature that can be abused to compromise a user's Google account. The "bug" was unveiled by a malware developer known as PRISMA in October 2023. The cyber-criminal shared details about a critical exploit designed to generate persistent cookies for "continuous" access to Google services, even after a user's password reset.
The exploit was first revealed on PRISMA's Telegram channel, and it was soon adapted by various malware groups as a new, potent tool to steal access credentials on users' PCs. As highlighted by CloudSEK analysts, the 0-day exploit provided two key features for infostealer creators: session persistence, and valid cookie generation.
Cyber-criminals quickly adapted the new exploit, integrating even more advanced features to bypass Google's security restrictions for token regeneration. Recent infostealer malware can infect a user's PC, scan the machine for Chromium session cookies, then exfiltrate and send the data to remote servers controlled by cyber-criminals.
Thanks to MultiLogin, the stolen tokens can be used to log in with an OAuth identity even if the user changes their Google password. The exploit can be countered by completely logging out from the Google account, invalidating the session tokens and thus preventing further exploitation.
CloudSEK said that the MultiLogin exploit underscores the "complexity and stealth" of modern security threats. Google confirmed the session-stealing attack, saying that such kind of malware is not new. The company routinely upgrades its defense against these techniques, and it has already "taken action" to secure compromised accounts. Mountain View also confirmed that users must log out to revoke stolen cookies, and that the Enhanced Safe Browsing feature of the Chrome browser can protect against phishing and malware downloads.