Keep a close eye on your Google account right now! Hackers are using a security flaw to harvest and modify the Internet giant’s cookies, allowing them to access your account even if you change your password.
Clearly, cybercriminals are making life difficult for us! They are increasing their ingenuity to trap us and are developing increasingly sophisticated viruses. Phishing emails and SMS, false login pages, fraudulent registered letters, phone calls with identity theft… Anything goes! The goal is always the same: to siphon off your personal and banking data. However, hackers recently found a way to exploit a critical vulnerability in Google accounts, which represents a real gold mine for them. They can therefore take over your account and use it as they wish, even if you decide to reset your password. In recent weeks, an increasing number of malware have started to exploit this flaw to automatically log in to Google accounts, without having to enter login details.
To achieve this feat, cybercriminals exploit Google’s undocumented OAuth2 access point, called MultiLogin, which allows for a website or application to access resources hosted by other web applications on behalf of a user. They will use it to recover expired authentication cookies. Indeed, among these famous small files stored on devices (computer, smartphone, etc.) by web browsers when you browse websites, we find so-called “internal” cookies which, deposited by the sites visited, allow the maintaining browsing sessions, ensuring that sites recognize the visitor, thus saving you from having to reconnect each time. However, for security reasons, these cookies have an expiration date, which requires you to re-enter your codes. Also, we cannot, in theory, reuse them once the browsing session is over.
However, cybercriminals have found a way to exfiltrate these cookies, both active and expired, from computers infected with certain malware, and to restore those which are obsolete. Result: they will not expire or be revoked, even if you change the password. Several pieces of malware have been updated in recent weeks to exploit this flaw and bypass Google’s patches. Today, there are at least six malware variants (Lumma, Rhadamanthys, Stealc, Medusa, RisePro, and Whitesnake) that implement this method of token misuse.
Faced with this discovery, however, Google wants to be reassuring. According to the company, attacks by malware that steal cookies and tokens are not new and the company’s defense mechanisms against such techniques are improved regularly. To prevent cookies in your Google account from being exploited by hackers, regularly check access to your account and disable all connected devices, apps and third-party applications via the device management section. Only once this is done can you change your password. In fact, by doing so, you are signaling to the session that the current password is no longer sufficiently secure and could therefore have been subject to unauthorized access. It therefore makes sense to cancel at the same time the resulting authentication tokens – contained in cookies – and to force a new connection with the new password. Otherwise, hackers could use these tokens to access your account even after resetting the password.