Malware Using Google MultiLogin Exploit to Maintain Access Despite Password Reset
Jan 03, 2024
Malware / Data Theft
Information stealing malware are actively taking advantage of an undocumented Google OAuth endpoint named MultiLogin to hijack user sessions and allow continuous access to Google services even after a password reset. According to CloudSEK, the critical exploit facilitates session persistence and cookie generation, enabling threat actors to maintain access to a valid session in an unauthorized manner. The technique was first revealed by a threat actor named PRISMA on October 20, 2023, on their Telegram channel. It has since been incorporated into various malware-as-a-service (MaaS) stealer families , such as Lumma, Rhadamanthys, Stealc, Meduza, RisePro, and WhiteSnake. The MultiLogin authentication endpoint is primarily designed for synchronizing Google accounts across services when users sign in to their accounts in the Chrome web browser (i.e., profiles ). A reverse engineering of the Lumma Stealer code has revealed that the technique targets the "Chrome's token_