It’s scary just how much of our lives we give to platforms such as Google. For its part, Google does its level best to ensure that the trust we place in it is not misplaced, particularly in the case of our user data—and privacy. Unfortunately, it appears that if there’s been a breach in Google’s defenses, there would be a breach in ours. What’s worse is that it appears as if a simple password reset won’t keep the bad guys away either. Rejecting cookies at every turn would help if it didn’t make the internet experience inconvenient since Google authentication cookies allow people to access accounts without having to sign in every single time.
The exploit was first revealed by a hacker via a post on a Russian-language Telegram channel that details how these cookies allow for the bypass of two-factor authentication. This ‘hacker’ is actually a developer named PRISMA. A 2023 analysis from AI-based cyber security firm CloudSEK titled ‘Compromising Google accounts: Malware Exploiting Undocumented OAuth2 Functionality for session hijacking’ investigated this fatal flaw, which is an exploit in Google cookies. Pavan Karthik M, a threat intelligence researcher at Cloud SEK reports that “In October 2023, PRISMA, a developer, uncovered a critical exploit that allows the generation of persistent Google cookies through token manipulation. This exploit enables continuous access to Google services, even after a user’s password reset.” This was on the 20th of October last year: by the 14th of November, it was already being included in malware used by the criminal group Lumia. Researchers are now seeing the exploit popping up among various hacker groups such as Risepro, Rhadamanthys, Steal Stealer, and Meduza.
CloudSEK’s report followed the company’s AI digital risk platform XVigil’s flagging of the message on Telegram that revealed the exploit. Essentially, the exploit allows potential bad actors to access Google services even after the original owners of an account reset their password. This meant that session cookies could be used to log into user accounts—even their Gmail accounts. Google responded to the report in a statement to The Independent, warning that “Users should continually take steps to remove any malware from their computer, and we recommend turning on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads.” CloudSEK recommends that the account be logged out completely from all devices and browsers before resetting passwords if a hack happens. They helpfully provide a step-by-step guide for users to protect their accounts.
- If a Google account holder suspects that their account is compromised, the immediate first step should be to sign out of all their browser. This will invalidate all valid session tokens.
- The next step should be signing back in on a secure device, which will generate new session tokens. This is especially important if the account has had its tokens and GAIA IDs have been violated.
- Reset the password: this will obstruct unauthorised access by effectively invalidating all previous session tokens that allow hackers entry.
There are of course other common-sense precautions you should take to maintain a safe point of access whether you use Google or anything else. This includes regularly updating your browser app to make sure that you incorporate the latest security patches into it. Chrome of course checks for updates regularly, downloading them when available and applying them whenever you close and reopen your browser. Having strong passwords, checking up on alerts that pop up when you try to download something off the interwebs, and always using 2-step verification where the function is available can go a long way towards protecting you from most threats.
As suggested by the title of CloudSEK’s report, the exploit targets OAuth 2.0, or Open Authorization 2.0, a protocol that secures and authorises access to the internet. According to researchers, the exploit finds its roots at an OAuth endpoint called ‘MultiLogin’. This particular approach is a nuanced use of the Google Accounts and ID administration (GAIA ID) token. Malignant software masks the exploitation from Google’s defenses through a layer of encryption. As of now, Google Chrome is the single most popular web browser in the world, holding more than 60% of the market share as of last year. Given all the add-on features that Chrome provides, it isn’t likely that the weakness is enough to drive people away from it. Chrome is also one of the top dogs when it comes to secure browsing, only using session cookies developed with a timeout function that prevents it from being reused. The new exploit restores expired cookies—a feature that has undoubtedly made its way onto Google’s to-do list.
Although Google is undoubtedly taking steps to address the issue, some claim that they are downplaying it. According to Google, the exploit is an API issue and not a fault in the browser itself, reassuring the public that they “routinely upgrade (our) defences against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.” The revelation of the threat has heightened calls for increased transparency in Big Tech corporations. The call is for increased transparency in the way in which user data is handled, stored, and protected, especially when complex functionalities like session cookies come into the picture. Indeed, the presence of undocumented APIs raises concerns about their potential consequences and Google’s responsibility to protect user data that extends beyond mere technical fixes.
While the specific exploitation of third-party cookies to breach Google is a relatively new approach, the idea of malware designed to steal passwords and cookies from users is not. The specificity points to the minute and stealthy nature of modern-day cyber threats. From a user perspective, it only serves to reiterate that there is a continuous need to monitor the technical and individual vulnerabilities that put our data at risk. For Google, it’s a thorny reminder that the goalpost for security is a constantly moving one.
(Theruni M. Liyanage)