Attackers Abuse Google OAuth Endpoint to Hijack User Sessions

Attackers have been exploiting an undocumented Google OAuth endpoint to hijack user sessions and allow continuous access to Google services, even after a password reset.

A threat actor called "Prisma" has uncovered the critical exploit, which "allows the generation of persistent Google cookies through token manipulation, according to a recent blog post by Pavan Karthick M, threat intelligence researcher at CloudSEK.

Prominent infostealers such as Lumma and Rhadamanthys have since integrated the capability in their malware after the threat actor behind Lumma reverse-engineered the script and improved the methodology with advanced blackboxing techniques.

"This marked the beginning of a ripple effect, as the exploit rapidly spread among various malware groups to keep on par with unique features," Karthick M wrote.

CloudSEK researchers learned of the zero-day exploit in October, when Prisma made an announcement on its Telegram channel revealing a way to bypass typical security measures on Google account sessions.

The method has two key features: A user's Google session remains valid even when the account password is changed, ensuring continuous access to Gmail and other accounts; also, someone can generate valid cookies in the event of a session disruption, thus enhancing "the attacker's ability to maintain unauthorized access," Karthick M wrote in the post.

Ironically, through collaboration with Prisma itself (and its own reverse engineering of the exploit-embedded malware), CloudSEK's threat research team identified the exploit's root at an undocumented Google Oauth endpoint named "MultiLogin."

OAuth Cyber Risk vs. Reward

OAuth is an open authentication standard in use since 2007 for cross-platform access — one example is the "Log in with Google" functionality used across websites. OAuth enables applications to get access to data and resources to other trusted online services and sites based on permissions set by a user, and it is the mechanism responsible for the authentication handoff between the sites.

While the standard is certainly useful, it also presents risk to organizations if it's not implemented correctly, and there are a number of ways attackers can abuse vulnerable instances and the standard itself. For example, security researchers have found flaws in its implementation that have exposed key online services platforms such as Booking.com and others to attack. Meanwhile, others have used malicious OAuth apps of their creation to compromise Microsoft Exchange servers.

In the case of the Google endpoint, the OAuth exploit discovered by Prisma targets Google Chrome's token_service table to extract tokens and account IDs of logged-in Chrome profiles, according to CloudSEK. That table contains two "crucial" columns, titled "service (GAIA ID)" and "encrypted_token," Karthick M explained.

"The encrypted tokens are decrypted using an encryption key stored in Chrome's Local State within the UserData directory, similar to the encryption used for storing passwords," he wrote.

CloudSEK used Chromium's source code to identify the MultiLogin endpoint as an internal mechanism designed for synchronizing Google accounts across services, facilitating a consistent user experience by ensuring that browser account states align with Google's authentication cookies.

"This endpoint operates by accepting a vector of account IDs and auth-login tokens — data essential for managing simultaneous sessions or switching between user profiles seamlessly," Karthick M wrote. In this way, it's a critical part of Google's OAuth system, accepting vectors of account IDs and auth-login tokens, he explained.

Abusing MultiLogin

MultiLogin's "vital role in user authentication" can be abused, however, if its cross-account communication is mishandled. ‍CloudSEK analyzed the approach of Lumma — the first info stealer to develop a technique to use the exploit — to shed light on how this abuse works.

"Lumma's approach hinges on a nuanced manipulation of the token:GAIA ID pair, a critical component in Google's authentication process," Karthick M explained.

This pair, when used in conjunction with the MultiLogin endpoint, enables the regeneration of Google service cookies. However, Lumma encrypted this token:GAIA ID pair with proprietary private keys, which effectively "blackboxed" the exploitation process, keeping the core mechanics a secret.

This blackboxing was likely done to serve two purposes: it masks the core mechanism of the exploit, thus making it harder for other threat actors to duplicate. It also is less likely to trigger alarms in network security systems, according to CloudSEK, as standard security protocols tend to overlook encrypted traffic, mistaking it as legitimate.

Ultimately, manipulating the token:GAIA ID pair allowed Lumma to continuously regenerate cookies for Google services, an exploit that remained effective even after users have reset their passwords, CloudSEK found. "This persistence in access allows for prolonged and potentially unnoticed exploitation of user accounts and data," Karthick M wrote.

Moreover, Lumma's subsequent adaptation of the exploit — which introduced the use of SOCKS proxies to circumvent Google's IP-based restrictions on cookie regeneration — inadvertently exposed some details of its techniques. This paved the way for other infostealers to adopt the exploit, including Rhadamanthys, Risepro, Meduza, Stealc Stealer, and, most recently on Dec. 26, White Snake, according to CloudSEK.

Growing Cyberattacker Sophistication Demands Response

Ultimately, the Lumma threat actors' tactical decision to encrypt the exploit's key component demonstrates the increased stealth and sophisticated nature of cyber threats, behavior that demands defenders also step up their game, according to CloudSEK.

"It signifies a shift in the landscape of malware development, where the emphasis is increasingly on the concealment and protection of exploit methodologies, as much as on the effectiveness of the exploits themselves," Karthick M wrote.

In turn, this advanced behavior highlights the need for organizations to employ continuous monitoring of both technical vulnerabilities and human intelligence sources to stay ahead of emerging cyber threats, Karthick M wrote, as a collaboration between both "is crucial in uncovering and understanding sophisticated exploits."