Exploitation of Undocumented Google OAuth Endpoint "MultiLogin" Enables Unauthorized Access to Users' Google Accounts
A new method allegedly enables hackers to exploit authorization protocol OAuth2 functionality to compromise Google accounts and maintain valid sessions by regenerating cookies despite IP or password reset.
Multiple information-stealing malware families are exploiting an undocumented Google OAuth endpoint called "MultiLogin" to restore expired authentication cookies and gain unauthorized access to users' Google accounts.
Google OAuth service has two known endpoints:
"/auth" endpoint: This endpoint provides a short-lived authorization code to confirm the validity of user credentials and consent for a specific scope.
"/token" endpoint: This endpoint is used to exchange the authorization code and obtain a bearer token and refresh token.
The "/authorize" endpoint is used for the Web Server OAuth Authentication Flow and User-Agent OAuth Authentication Flow. The "/token" endpoint is used for the Username-Password OAuth Authentication Flow and the OAuth Refresh Token Process.
Session cookies, which contain authentication information, are being abused to automatically log into websites and services without the need for credentials. Although these cookies are designed to have a limited lifespan, cybercriminals can use them to log into stolen accounts even after the legitimate owners have logged out or their sessions have expired.
The exploit, first disclosed by a threat actor named PRISMA on October 20, 2023, involves the use of the "MultiLogin" endpoint in Google OAuth, which is intended for synchronizing accounts across different Google services. By extracting tokens and account IDs from logged-in Chrome profiles, information-stealing malware can regenerate expired Google Service cookies and maintain persistent access to compromised accounts. The stolen tokens are decrypted using an encryption stored in Chrome's 'Local State' file, which is also used to decrypt saved passwords in the browser. However, regenerating the authentication cookie can only be done once if a user resets their Google password.
This abuse of the "MultiLogin" endpoint poses a significant security risk as it allows threat actors to bypass password resets and maintain unauthorized access to compromised Google accounts. Users should exercise caution when using Google services and ensure they have strong, unique passwords and enable additional security measures like two-factor authentication to protect their accounts.
IT Infrastructure Security
User awareness training.
Adblockers can help prevent malicious code from executing when it’s delivered via malicious ads.
Monitor newly constructed files being written to disk to gain access to a system through a user visiting a website in the normal course of browsing.
1. Toulas, B. (2023, December 29). Malware abuses Google OAuth endpoint to ‘revive’ cookies, Hijack accounts. BleepingComputer. https://www.bleepingcomputer.com/news/security/malware-abuses-google-oauth-endpoint-to-revive-cookies-hijack-accounts/?&web_view=true#google_vignette
2. Pavan, K. (2023, December 29). Compromising Google Accounts: Malware Exploiting Undocumented 0Auth2. CloudSek.com
How can CyberForce|Q services help you address this risk?
Incident Response is a time-based situation and CyberForce|Q can assist with a potential incident in your environment. Our experienced Incident Response Team can be deployed 24x7x365 – reach out to firstname.lastname@example.org.
Learn more about CyberForce|Q.