Security News Session token stealer survive Google password reset

Victor M

Victor M

Level 8
Thread author
Verified
Well-known
Oct 3, 2022
380
Content source
https://www.theregister.com/2024/01/02/infostealer_google_account_exploit/
Security researchers say info-stealing malware can still access victims' compromised Google accounts even after passwords have been changed.

A zero-day exploit of Google account security was first teased by a cybercriminal known as "PRISMA" in October 2023, boasting that the technique could be used to log back into a victim's account even after the password is changed. It can also be used to generate new session tokens to regain access to victims' emails, cloud storage, and more as necessary. Since then, developers of info-stealer malware – primarily targeting Windows, it seems – have steadily implemented the exploit in their code. The total number of known malware families that abuse the vulnerability stands at six, including Lumma and Rhadamanthys, while Eternity Stealer is also working on an update to release in the near future.
Click to expand...
www.theregister.com

Google password resets not enough to stop this malware

Now every miscreant is jumping on Big G's OAuth account security hole
www.theregister.com www.theregister.com
 
Last edited by a moderator:
  • Wow
  • +Reputation
  • Like
Reactions: vtqhtr413, Nevi, harlan4096 and 4 others
Victor M

Victor M

Level 8
Thread author
Verified
Well-known
Oct 3, 2022
380
For those who didn't bother to read carefully, the thing to do is to Sign Out of your gmail session + change your password when you discover a token stealer. Signing out, it seems, will expire your token. In addition, I would add, buy a Yubikey. ($25) - true separate media offline second factor authenticator.
 
  • +Reputation
  • Applause
  • Like
Reactions: vtqhtr413, Nevi, Jonny Quest and 3 others
vtqhtr413

vtqhtr413

Level 26
Verified
Top Poster
Well-known
Aug 17, 2017
1,494
Unfortunately, Google sees this API abuse as just your regular, garden-variety malware-based cookie theft, however, sources familiar with this issue have told BleepingComputer that Google believes the API is working as intended and that no vulnerability is being exploited by the malware.

Google's solution to this issue is simply having users log out of their Chrome browser from the affected device or kill all active sessions via g.co/mydevices. Doing so will invalidate the Refresh token and make it unusable with the API.

"In the meantime, users should continually take steps to remove any malware from their computer, and we recommend turning on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads," Google further recommends.
Click to expand...
www.bleepingcomputer.com

Google: Malware abusing API is standard token theft, not an API issue

Google is downplaying reports of malware abusing an undocumented Google Chrome API to generate new authentication cookies when previously stolen ones have expired.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
Reactions: simmerskool and [correlate]

Similar threads

Gandalf_The_Grey
    • +Reputation
    • Like
Security News Malware abuses Google OAuth endpoint to ‘revive’ cookies, hijack accounts
Replies
1
Views
1,733
Security News
[correlate]
[correlate]
silversurfer
    • Like
    • +Reputation
New Zaraza Bot Credential-Stealer Sold on Telegram Targeting 38 Web Browsers
Replies
0
Views
986
News Archive
silversurfer
silversurfer
Gandalf_The_Grey
    • Applause
    • Like
    • +Reputation
Google disrupts the CryptBot info-stealing malware operation
Replies
0
Views
1,001
News Archive
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top