You may have just changed your password, but an exploit using an undocumented Google OAuth endpoint to allow continual account access—even if the user changes their password—might make you feel like changing it again.
That’s according to research from security firm CloudSEK, which says threat actors first teased the exploit on Telegram in October 2023. The exploit allows malicious parties to abuse the undocumented Open Authorization 2.0 (OAuth) endpoint, MultiLogin, to restore expired authentication tokens and thus gain continual access to an account.
Since the initial announcement, cybercriminals have paired the exploit with information-stealing malware that uses advanced blackboxing techniques intended to obscure its origin, CloudSEK Threat Researcher Pavan Karthick M wrote in a blog post.
OAuth is an open standard used to manage cross-platform access, such as allowing a user to log in to a given site using their account on services like Google or Facebook. The MultiLogin API, “as revealed through Chromium’s source code, is an internal mechanism designed for synchronizing Google accounts across services,” according to the CloudSEK report.
MultiLogin uses a “vector of account IDs and auth-login tokens” to ensure a convenient and consistent user experience, Karthick wrote, such as when managing multiple browser sessions or jumping between different user profiles.
Attackers can use info-stealing malware to retrieve account IDs, as well as steal and decrypt tokens, from devices with Chrome profiles logged into Google Accounts. The MultiLogin exploit then allows them to use the stolen tokens to regenerate cookies for Google services, giving the attackers persistent access.
“Access tokens and cookies, they’re usually active for only a certain amount of time,” Karthick told IT Brew. The tokens involved in this exploit, he said, act as a sort of refresh token for a given browser—for example, allowing a user to use their laptop at a coffee shop without having to log back into their Chrome profile.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“In this case, they just required your refresh token, and then your Google account ID, also known as Gaia [Google accounts and ID administration] ID, using those to basically use this MultiLogin endpoint, which is only documented in Google’s Chromium source code,” Karthick added. “And then they’re able to generate…your account cookies.”
According to CloudSEK, the malicious access can’t be interrupted by a password reset, at least while the user remains logged into their Chrome profile. To revoke the stolen tokens, a user has to first log out of their Chrome profile, use the account recovery process to reset the password, and log back in.
BleepingComputer reported the technique has been incorporated into at least six strains of info-stealing malware since November 2023. Threat actors such as the operators of the Lumma info-stealer have used blackboxing methods to hinder “other malicious entities from duplicating” the exploit, as well as make the malware “less likely to trigger alarms in network security systems.”
“The number of victims you see in these information stealers is very huge,” Karthick told IT Brew. “It could mean millions each and every month.”
“Most of the people don’t even know they’re infected…until their data is being abused a lot,” Karthick added. “Now these attackers using this, they basically have a very special way of regenerating cookies, and abusing other services will be part of the campaign, which we might see in the future because of this.”
Karthick said Google responded to reports of the bug by stating MultiLogin was working as intended.