Security News Session token stealer survive Google password reset

Victor M

Victor M

Level 12
Thread author
Verified
Top Poster
Well-known
Oct 3, 2022
576
Content source
https://www.theregister.com/2024/01/02/infostealer_google_account_exploit/
Security researchers say info-stealing malware can still access victims' compromised Google accounts even after passwords have been changed.

A zero-day exploit of Google account security was first teased by a cybercriminal known as "PRISMA" in October 2023, boasting that the technique could be used to log back into a victim's account even after the password is changed. It can also be used to generate new session tokens to regain access to victims' emails, cloud storage, and more as necessary. Since then, developers of info-stealer malware – primarily targeting Windows, it seems – have steadily implemented the exploit in their code. The total number of known malware families that abuse the vulnerability stands at six, including Lumma and Rhadamanthys, while Eternity Stealer is also working on an update to release in the near future.
Click to expand...
www.theregister.com

Google password resets not enough to stop this malware

Now every miscreant is jumping on Big G's OAuth account security hole
www.theregister.com www.theregister.com
 
Last edited by a moderator:
  • Wow
  • +Reputation
  • Like
Reactions: vtqhtr413, Nevi, harlan4096 and 4 others
Victor M

Victor M

Level 12
Thread author
Verified
Top Poster
Well-known
Oct 3, 2022
576
For those who didn't bother to read carefully, the thing to do is to Sign Out of your gmail session + change your password when you discover a token stealer. Signing out, it seems, will expire your token. In addition, I would add, buy a Yubikey. ($25) - true separate media offline second factor authenticator.
 
  • +Reputation
  • Applause
  • Like
Reactions: vtqhtr413, Nevi, Jonny Quest and 3 others
vtqhtr413

vtqhtr413

Level 27
Well-known
Aug 17, 2017
1,609
Unfortunately, Google sees this API abuse as just your regular, garden-variety malware-based cookie theft, however, sources familiar with this issue have told BleepingComputer that Google believes the API is working as intended and that no vulnerability is being exploited by the malware.

Google's solution to this issue is simply having users log out of their Chrome browser from the affected device or kill all active sessions via g.co/mydevices. Doing so will invalidate the Refresh token and make it unusable with the API.

"In the meantime, users should continually take steps to remove any malware from their computer, and we recommend turning on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads," Google further recommends.
Click to expand...
www.bleepingcomputer.com

Google: Malware abusing API is standard token theft, not an API issue

Google is downplaying reports of malware abusing an undocumented Google Chrome API to generate new authentication cookies when previously stolen ones have expired.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
Reactions: simmerskool and [correlate]

Similar threads

Gandalf_The_Grey
    • Like
Security News Fake Google Meet conference errors push infostealing malware
Replies
2
Views
1,302
Security News
Andy Ful
Andy Ful
Gandalf_The_Grey
    • Like
    • Wow
    • +Reputation
Malware News Over 200 malicious apps on Google Play downloaded millions of times
Replies
1
Views
1,169
Security News
Digmor Crusher
Digmor Crusher
Gandalf_The_Grey
    • +Reputation
    • Like
Security News Malware abuses Google OAuth endpoint to ‘revive’ cookies, hijack accounts
Replies
1
Views
1,943
Security News
[correlate]
[correlate]

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top