Exploiting Google’s MultiLogin Endpoint: A Persistent Threat

In October 2023, a significant cybersecurity issue emerged when a developer known as PRISMA uncovered an exploit in Google’s OAuth system. This exploit, involving an undocumented endpoint called “MultiLogin”, allows attackers to generate persistent Google cookies, enabling unauthorized access to Google services even after users reset their passwords. This exploit has been integrated into multiple malware variants, posing a serious threat to Google account security.

The Exploit Mechanism

The exploit targets the MultiLogin endpoint, an internal mechanism designed for synchronizing Google accounts across services. This endpoint processes a vector containing account IDs and authentication login tokens, which is critical for handling concurrent sessions or switching between user profiles. However, it became a vulnerability when malware developers like Lumma Infostealer began using it to extract tokens and account IDs from Chrome’s token_service table. By decrypting these tokens using an encryption key stored in Chrome’s Local State, attackers can continuously regenerate cookies for Google services.

Malware Exploitation and Persistence

Since its discovery, various malware has incorporated this exploit, including Rhadamanthys, Risepro, Meduza, Stealc Stealer, and White Snake. This persistence allows for prolonged and potentially unnoticed exploitation of user accounts and data. The exploit’s efficiency was highlighted by the fact that it remains effective even after password resets, posing a continuous threat to user data security.

  • Key Malware Using the Exploit: Lumma, Rhadamanthys, Risepro, Meduza, Stealc Stealer, White Snake. Targeted Data: Google services’ tokens and account IDs.
  • Method of Attack: Decrypting encrypted tokens using Chrome’s Local State encryption key.

Potential Origin and Google’s Response

The exploit’s origin traces back to a penetration test on Google Drive services on Apple devices. However, its imperfect testing exposed the vulnerability. Despite the widespread exploitation of this zero-day flaw, Google has not officially confirmed its existence or detailed any mitigation efforts.

Industry Response and Analysis

CloudSEK and BleepingComputer have provided detailed insights into the exploit’s workings. CloudSEK’s reverse engineering revealed the technicalities behind token and GAIA ID manipulation. BleepingComputer, highlighting the issue’s severity, noted Google’s lack of response despite repeated inquiries.

  • Advice from Experts: Users should log out of their Google accounts, change passwords, and log back in to revoke potentially compromised keys.
  • Additional Security Measures: Some malware, like Lumma, have started using SOCKS proxies and encrypted communication to bypass Google’s abuse detection.

Wider Implications of the Exploit

The exploitation of Google’s MultiLogin endpoint has broader implications for cybersecurity. It underscores the evolving sophistication of cyber threats and the need for continuous vigilance in digital security practices. This incident also highlights the importance of promptly addressing security vulnerabilities and the potential consequences of delayed responses.

Best Practices for Users

Considering the recent changes, it’s wise for users to tighten their security:

  • Update Passwords Often: It’s good practice to change your passwords now and then. Don’t use one password everywhere.
  • Turn On Two-Factor Authentication (2FA): An extra security step can make a big difference in keeping out unwanted visitors to your accounts.
  • Keep an Eye on Your Account: Watch out for strange activity or logins from places or gadgets you don’t recognize in your account.
  • Watch Out for Phishing: Stay alert for emails or messages that want your info or send you to fishy websites.

Conclusion and Current Status

There’s a big flaw in Google’s system that could affect tons of people everywhere. This problem isn’t going away, and Google hasn’t said much about it, which is worrying when we think about the safety of our info. Folks who know a lot about keeping data safe are keeping an eye on this, but nobody’s really sure just how bad the damage is or what Google is doing to fix it. Learn More.

Leave a Comment