A sophisticated exploit targeting Google’s OAuth2 authentication system was uncovered by Prisma threat actor. This exploit leverages undocumented functionalities within Google’s MultiLogin endpoint, enabling attackers to generate and maintain persistent Google cookies even after a password reset.
OAuth2 Vulnerability Allows for Persistent Session Hijacking
The attackers found a way to use specific components within the Chrome browser to hijack sessions without a risk of it being interrupted by password changes. They targeted Chrome’s token_service table, part of the WebData, to exfiltrate tokens and account IDs. This table contains essential information, such as the GAIA ID and the encrypted_token column. Next, the attackers decrypted these encrypted tokens using a key stored in Chrome’s Local State within the UserData directory.
This method is similar to how Chrome stores passwords, indicating that the attackers deeply understood Chrome’s data management system. The exploit’s success relied on the attackers’ ability to navigate and utilize Chrome’s intricate data structures, specifically those related to user authentication and token management.
MultiLogin Endpoint Is The Culprit
The MultiLogin endpoint is a crucial element of Google’s OAuth2 system. It synchronizes Google accounts across various services, ensuring a consistent user experience by aligning the browser account states with Google’s authentication cookies. However, attackers have found a way to exploit this endpoint’s functionality. By providing vectors of account IDs and auth-login tokens, attackers can maintain unauthorized access to Google services.
Although this is a regular operation for the endpoint, attackers have used it maliciously. The endpoint’s invisibility and exploitability make it an ideal target for exploitation. It is not widely documented or known, and its role in managing simultaneous sessions or user profile switches makes it a potent tool for attackers once they understand how to manipulate it.
The Discovery and Spread of the OAuth2 Exploit
Back in October 2023, one of the malware developers described a vulnerability in OAuth2 and the exploit to it on its Telegram channel. This exploit uniquely allowed the generation of persistent Google cookies by manipulating tokens. This capability ensured continuous access to Google services, bypassing standard security measures even after resetting the user’s password. Obviously, the exploit’s potential didn’t go unnoticed.
Lumma infostealer was the first to integrate this exploit in November 2023, employing advanced blackboxing techniques to protect the methodology. This incorporation marked the beginning of a trend, as the exploit quickly caught the attention of various malware groups. Following Lumma, malware entities like Rhadamanthys, Stealc, Meduza, Risepro, and WhiteSnake implemented the exploit. Each group brought nuances to the exploit’s application, indicating its versatility among cybercriminals.
Hidden Tactics
In addition, the attackers manipulated the token:GAIA ID pair, which is also essential in Google’s authentication process. This manipulation allowed them to regenerate Google service cookies and maintain unauthorized access to user accounts. Thus, Lumma, a key player in exploiting this vulnerability, encrypted the critical token:GAIA ID pair with proprietary private keys. This process, known as “blackboxing,” not only obscured the core mechanics of the exploit but also made it difficult for other malicious entities to replicate the method.
Since the attackers encrypted the communication between their C2 and the MultiLogin endpoint, it was challenging for network security systems to detect the exploit. Standard security protocols often overlook such encrypted traffic, mistaking it for legitimate data exchange.
Interim Measures for Protection
While Google is working on fixing the vulnerability, there are some immediate steps you can take to protect your account. First, it is recommended that you log out of all your browser profiles. This will invalidate your current session tokens. After logging out, change your password and log in again. The action will generate new session tokens. Such a step is essential because tokens and GAIA IDs may have been stolen, and generating new session tokens will prevent unauthorized access by rendering the old tokens useless.