A severe cookie-related vulnerability that first involves malware exfiltrating files from Chrome looks to allow access to Google Accounts even after passwords are changed.
Update 1/2/24: Google is out with a response to the session token malware today. The company says it has “taken action to secure any compromised accounts detected,” and that the way to combat stolen sessions is by signing out of the affected browser — from the Account switcher in the top-right corner of any Google site — or device.
Google is aware of recent reports of a malware family stealing session tokens. Attacks involving malware that steal cookies and tokens are not new; we routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.
However, it’s important to note a misconception in reports that suggests stolen tokens and cookies cannot be revoked by the user. This is incorrect, as stolen sessions can be invalidated by simply signing out of the affected browser, or remotely revoked via the user’s devices page. We will continue to monitor the situation and provide updates as needed.
In the meantime, users should continually take steps to remove any malware from their computer, and we recommend turning on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads.
Original 12/29/23: This is according to BleepingComputer and a writeup by CloudSEK and Hudson Rock. At a high level, this vulnerability requires malware to be installed on a desktop in order to “extract and decrypt login tokens stored within Google Chrome’s local database.”
What’s attained is then used to send a request to a Google API – normally used by Chrome to sync accounts across different Google services – and create “stable and persistent Google cookies” responsible for authentication that can be used to access your account. In this case, it’s not clear whether two-factor authentication provides any protection.
Essentially, the infusion of the key from restore files enables the reauthorization of cookies, ensuring their validity even after a password change.
What’s most concerning is how this “restoration” process can be done multiple times if the victim never becomes aware that they’ve been compromised. Even worse is how even after a Google Account password reset, this exploit can be used one more time by the bad actor to get access to your account.
Multiple malware groups, six by BleepingComputer’s count, have access to this vulnerability and are selling it. This exploit was first advertised in mid-November. Notably, some of these parties say they have already updated this vulnerability to combat the countermeasures Google has implemented.
We’ve reached out to Google for more information. In terms of immediate measures you can take, do not install software you’re not familiar with (as it could be malware).
Kyle Bradshaw contributed to this post.
FTC: We use income earning auto affiliate links. More.
Comments