A new malware exploits a vulnerability in Google Chrome to steal session tokens and create persistent cookies, allowing attackers to access Google Accounts even after password changes. Google has responded by securing compromised accounts and clarifying that users can invalidate stolen sessions by signing out. The company recommends users to remove any malware, turn on Enhanced Safe Browsing, and avoid installing unfamiliar software. Despite Google's countermeasures, multiple malware groups claim to have adapted to these defenses.
Cybersecurity researchers have discovered that several strains of info-stealing malware can maintain access to compromised Google accounts even after victims change their passwords, due to a zero-day exploit involving Google's OAuth endpoint "MultiLogin." The malware, which targets primarily Windows users, steals session tokens from web browsers, allowing attackers to bypass password changes and continually access victims' emails and cloud storage. The exploit has been adopted by at least six malware families, including Lumma and Rhadamanthys, with Eternity Stealer planning to release an update soon. To prevent exploitation, users must log out completely to invalidate their session tokens. Google has yet to respond to inquiries about their plans to address this security issue.
A new malware exploit targets Google Chrome to extract and decrypt login tokens, allowing attackers to create persistent Google cookies for account access, even after password changes. The vulnerability, which has been sold by multiple malware groups since mid-November, can bypass traditional security measures like password resets and potentially two-factor authentication. Users are advised to avoid installing unfamiliar software to prevent such malware infections.
