Creation Center
  1. chief security officerHome
  2. intelligence gathering

Google Account OAuth2 Protocol Faces New Attack Threats

batsom intelligence gathering 1346 views

Re-generate Google services cookies using undocumented OAuth2 functionality, regardless of IP or password reset.

Google Account. This method allows you to maintain a valid session by regenerating cookies, even after changing your IP address or password. A newhackerMethods allow attackers to exploit OAuth 2.0 Authorization Protocol functionality to compromise GoogleCloudSEK CloudSEK Reports

A team of CloudSEK researchers discovered an attack using an undocumented Google Oauth access point called "MultiLogin". "MultiLogin" is an internal mechanism designed to synchronize Google accounts across various services, ensuring that the account state in the browser matches Google's authentication cookie.

expressed a willingness to cooperate, which accelerated the discovery of the access point responsible for re-generating the cookie. Utilizing the

Infostealer malware. Lumma's main functions include session persistence and cookie generation. The program is designed to extract the necessary secrets, tokens, and account IDs by attacking the token_service table in the WebData of the login Chrome profile.

"Sessions remain valid even if the account password is changed, which is a unique advantage in bypassing typical security measures," - the report quotes PRISMA, the author of the exploit.

Researchers have noted a worrying trend of rapid consolidation of vulnerability exploits among various cybercriminal groups. Exploiting Google's undocumented OAuth2 MultiLogin access point is a prime example of the sophistication, as the method relies on subtle manipulation of Google Account and ID Management (GAIA) tokens. The malware uses a cryptographic layer to hide the exploit mechanism.

This exploitation technique demonstrates a high degree of sophistication and understanding of Google's internal authentication mechanisms. By manipulating the "Token:GAIA ID" pair, Lumma can continually regenerate cookies for Google services, and, particularly troubling, the exploit remains in effect even if a user's password is reset, allowing for ongoing and potentially undetectable exploitation of user accounts and data. " The CloudSEK team concluded.

refer to:

https://www.cloudsek.com/blog/compromising-google-accounts-malwares-exploiting-undocumented-oauth2-functionality-for-session-hijacking

Original article by batsom, if reproduced, please credit: https://cncso.com/en/google-accounts-malwares-exploiting-undocumented-oauth2-session-hijacking.html

Like (0)
0 0

About the author

batsom

batsomcertified author

7 posts
0 comments
1 followers
This person is very lazy and has left nothing behind~
Previous December 30, 2023 at 11:03 pm
Next December 31, 2023 6:00 pm

related suggestion