[German]There is an undocumented feature in Google's OAuth implementation that is being abused by several malware strains. These use an exploit that allows them to recover expired cookies. This allows them to then log in to online accounts, steal information or take over the account. The login even works if an online account has been reset. It is currently unclear whether Google has fixed the problem in the browser.
What is OAuth?
The abbreviation OAuth 2.0 stands for "Open Authorization" Version 2.0, an authorization protocol. It is a standard for online authorization. A website or application can use OAuth 2.0 to access resources that are hosted by other web apps for a user. This standard has replaced OAuth 1.0 in 2012.
OAuth 2.0 uses access tokens, which are data that represent the authorization to access resources for the end user. OAuth 2.0 does not define a specific format for access tokens. However, depending on the context, the "JSON Web Token (JWT)" format is often used. This enables the issuer of the token to include data in the token itself. For security reasons, access tokens can also have an expiration date.
OAuth 2.0 enables access after consent and restricts which actions the client may perform without sharing the user's login data. Details can be found on the linked OAuth page or on Wikipedia.
Abuse of an undocumented function
In October 2023, a malware developer by the name of PRISMA made an announcement on his Telegram channel. The malware developer had found a critical vulnerability in OAuth 2.0 that allows the generation of persistent Google cookies through token manipulation. This vulnerability allows continuous access to Google services even after a user has reset their password.
Rapid spread of the exploit
The malware developer then created an exploit to take advantage of this 0-day vulnerability. A second threat actor, who was also a customer of PRISMA, later modified this script and integrated it into the Lumma Infostealer. The threat actor used advanced blackboxing techniques to protect his method. The exploit in question quickly spread among various malware groups.
The Lumma Infostealer containing the discovered vulnerability was deployed on November 14, 2024. Subsequently, Rhadamanthys, Risepro, Meduza and Stealc Stealer adopted this technique. On December 26, 2023, White Snake also implemented the exploit. The developer of Eternity Stealer is currently actively working on an update. The exploit is spreading rapidly and shows a worrying trend that indicates rapid integration of the exploit into various Infostealer groups.
Discovery and analysis
Security researchers from CloudSEK discovered the issue because the contextual AI platform XVigi was aware of the announcement. After a technical analysis, the security researchers were able to trace this exploit back to an undocumented Google Oauth endpoint called "MultiLogin".
However, the MultiLogin function is not documented anywhere. However, the security researchers found it in the source code of the Chrome browser. The Chromium source code shows that the MultiLogin endpoint is an internal mechanism designed to synchronize Google accounts across different services.
MultiLogin facilitates a consistent user experience by ensuring that browser account balances match Google's authentication cookies. This undocumented MultiLogin endpoint is an important part of Google's OAuth system, which accepts vectors of account IDs and authentication login tokens.
Exfiltration of tokens and account IDs
When analyzing the malware variant (including through exchanges with the malware developers of the exploit), the security researchers discovered that it targets WebData's token_service table in the Chrome browser to extract tokens and account IDs from logged-in Chrome profiles. This table contains two important columns: service (GAIA ID) and encrypted_token. The encrypted tokens are decrypted using a key stored in Chrome's local state in the UserData directory.
And now it gets interesting: With the help of the malware-extracted Token:GAIA pairs from the MultiLogin endpoint, the threat actors can regenerate expired Google service cookies via the exploit. This gives them permanent access to compromised accounts. This also works if the user resets their password for the account – but only once. If the password is not reset, the exploit can even repeatedly regenerate and use expired Google service cookies for access.
Status of the exploit unclear
The security researchers have published their analysis in a blog post Compromising Google Accounts: Malwares Exploiting Undocumented OAuth2 Functionality for session hijacking. At the same time, the security researchers were in contact with their colleagues at Bleeping Computer, who took up the issue in this article and also included a video of Hudson Rock demonstrating the exploit. Bleeping Computer had asked Google several times whether they wanted to close this vulnerability, but received no response. It is therefore currently unclear whether the exploit can still be used in current Chromium versions.
Addendum: Google states in a statement that this is nothing new and says "Google is aware of recent reports of a malware family that steals session tokens. Attacks using malware that steals cookies and tokens are not new; we routinely update our defenses against such techniques and protect users who fall victim to malware. In this case, Google has taken steps to secure all compromised accounts discovered." Our colleagues at Bleeping Computer picked it up in this blog post, including the above statement.
