Multiple information-stealing malware families are abusing an undocumented Google OAuth endpoint named “MultiLogin” to restore expired authentication cookies and log into users’ accounts, even if an account’s password was reset.
Session cookies are a special type of browser cookie that contains authentication information, allowing a person to automatically log in to websites and services without entering their credentials.
These types of cookies are meant to have a limited lifespan, so they cannot be used indefinitely by threat actors to log into accounts if they are stolen.
In late November 2023, BleepingComputer reported on two information-stealers, namely Lumma and Rhadamanthys, who claimed they could restore expired Google authentication cookies stolen in attacks.
These cookies would allow the cybercriminals to gain unauthorized access to Google accounts even after the legitimate owners have logged out, reset their passwords, or their session has expired.
BleepingComputer has contacted Google multiple times over a month with questions about these claims and how they plan to mitigate the issue, but we never received a response.
Exploiting Google OAuth endpoint
A report published today by CloudSEK researchers sheds more light on how this zero-day exploit works and paints a dire picture regarding the scale of its exploitation.
The exploit was first revealed by a threat actor named PRISMA on October 20, 2023, who posted on Telegram that they discovered a way to restore expired Google authentication cookies.
After reverse engineering the exploit, CloudSEK discovered it uses an undocumented Google OAuth endpoint named “MultiLogin,” which is intended for synchronizing accounts across different Google services by accepting a vector of account IDs and auth-login tokens.
“This request is used to set chrome accounts in browser in the Google authentication cookies for several google websites (e.g. youtube),” explains a description of the API endpoint in the Google Chrome source code.
“This request is part of Gaia Auth API, and is triggered whenever accounts in cookies are not consistent with accounts in browser,” a variable in the source code further explains.
CloudSEK says that information-stealing malware abusing this endpoint extracts tokens and account IDs of Chrome profiles logged into a Google account. This stolen information contains two crucial pieces of data: service (GAIA ID) and encrypted_token.
The encrypted tokens are decrypted using an encryption stored in Chrome’s ‘Local State’ file. This same encryption key is also used to decrypt saved passwords in the browser.
Using the stolen token:GAIA pairs with the MultiLogin endpoint, the threat actors can regenerate expired Google Service cookies and maintain persistent access on compromised accounts.
In a discussion with CloudSek researcher Pavan Karthick, BleepingComputer was told they reverse-engineered the exploit and were able to use it to regenerate expired Google authentication cookies, as shown below.
However, Karthick explained that the authentication cookie can only be regenerated once if a user resets their Google password. Otherwise, it can be regenerated multiple times, providing persistent access to the account.
Malware devs rush to add exploit
Lumma stealer first adopted the exploit on November 14, whose developers applied blackboxing techniques such as encrypting the token:GAIA pair with private keys to hide the mechanism from competitors and prevent the replication of the feature.
Still, others were able to copy the feature or incorporate PRISMA’s exploit into their stealers, with Rhadamanthys being the first to follow on November 17.
Since then, numerous other information stealers have adopted the exploit, including Stealc on December 1, Medusa on December 11, RisePro on December 12, and Whitesnake on December 26.
So, at least six info-stealers currently claim the ability to regenerate Google cookies using this API endpoint.
Threat intelligence firm Hudson Rock has also published the following video on YouTube, where a cybercriminal demonstrates how the cookie restoration exploit works.
A subsequent release by Lumma updated the exploit to counteract Google’s mitigations, suggesting that the tech giant knows about the actively exploited zero-day flaw.
Specifically, Lumma turned to using SOCKS proxies to evade Google’s abuse detection measures and implemented encrypted communication between the malware and the MultiLogin endpoint.
However, since Google hasn’t confirmed the abuse of the MultiLogin endpoint, the status of the exploitation and its mitigation efforts remain unclear at this time.