No recent events yet!
Risk: | high |
Damage: |
high |
Platform(s): |
Google Web Browsers |
Advisory ID: |
ngCERT-2024-0001 |
Version: |
N/A |
CVE: |
N/A |
Published: |
January 11, 2024 |
Security researchers uncovered a new technique used by cyber criminals to hack into people' Google accounts without requiring their passwords. Google accounts are potentially exposed due to authentication cookies that bypass two-factor authentication. In this hack, criminals employ malware to gain access to Google accounts without requiring any passwords. According to the findings, the malware uses third-party cookies to gain access to private information from affected accounts. Furthermore, the new weakness allows hackers to access Google services even after a user's password has been reset. However, Chrome is currently cracking down on third-party cookies.
This attack exploits a major weakness in the cookie generating process. During an attack, hackers use session persistence techniques to keep their sessions valid despite changes in credentials. This is due to a weakness in cookies, which are used by websites and browsers to track users and improve their efficiency and functionality. Google authentication cookies enable users to access their accounts without repeatedly inputting their login information. However, hackers identified a technique to extract these cookies and bypass two-factor authentication. This exploit allows for continued access to Google services, even when a user's password is reset. The vulnerability was first put into the Lumma Infostealer malware, which was thereafter adopted by the Rhadamanthys, Risepro, Meduza, Stealc Stealer, white snake and eternity stealer malwares.
They target Chrome's token_service WebData table to collect tokens and account IDs from logged-in chrome profiles. The encrypted tokens are decoded using an encryption key saved in Chrome's Local State within the UserData directory, just like passwords. The attack strategy is based on a subtle alteration of the token:GAIA ID pair, a vital component in Google's authentication process. This pair, when used with the MultiLogin endpoint, allows Google service cookies to be regenerated. This strategic innovation is based on the encryption of the token:GAIA ID pair and their own private keys. By doing so, they essentially 'blackbox' the exploitation process, keeping the core mechanics of the hack hidden.
Successful exploitation will result to the following:
It is therefore recommended that: