Security News Session token stealer survive Google password reset

Victor M

Level 12
Thread author
Verified
Top Poster
Well-known
Oct 3, 2022
557
Security researchers say info-stealing malware can still access victims' compromised Google accounts even after passwords have been changed.

A zero-day exploit of Google account security was first teased by a cybercriminal known as "PRISMA" in October 2023, boasting that the technique could be used to log back into a victim's account even after the password is changed. It can also be used to generate new session tokens to regain access to victims' emails, cloud storage, and more as necessary. Since then, developers of info-stealer malware – primarily targeting Windows, it seems – have steadily implemented the exploit in their code. The total number of known malware families that abuse the vulnerability stands at six, including Lumma and Rhadamanthys, while Eternity Stealer is also working on an update to release in the near future.
 
Last edited by a moderator:

Victor M

Level 12
Thread author
Verified
Top Poster
Well-known
Oct 3, 2022
557
For those who didn't bother to read carefully, the thing to do is to Sign Out of your gmail session + change your password when you discover a token stealer. Signing out, it seems, will expire your token. In addition, I would add, buy a Yubikey. ($25) - true separate media offline second factor authenticator.
 

vtqhtr413

Level 27
Well-known
Aug 17, 2017
1,609
Unfortunately, Google sees this API abuse as just your regular, garden-variety malware-based cookie theft, however, sources familiar with this issue have told BleepingComputer that Google believes the API is working as intended and that no vulnerability is being exploited by the malware.

Google's solution to this issue is simply having users log out of their Chrome browser from the affected device or kill all active sessions via g.co/mydevices. Doing so will invalidate the Refresh token and make it unusable with the API.

"In the meantime, users should continually take steps to remove any malware from their computer, and we recommend turning on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads," Google further recommends.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top