Infostealers Abuse Google OAuth Endpoint to ‘Revive’ Cookies, Hijack Accounts

The exploitation of an undocumented Google OAuth endpoint, MultiLogin, by various information-stealing malware strains has raised significant concerns within the cybersecurity landscape. This critical vulnerability, discovered by security researchers following a disclosure on Telegram by a threat actor known as Prisma on Oct. 20, 2023, poses a substantial risk to user sessions and account security. 

Tell me more about the Google OAuth Endpoint Vulnerability

The exploit leverages the MultiLogin API, originally designed for syncing Google accounts, to manipulate tokens to enable the regeneration of expired authentication cookies. This manipulation leads to two notable features that significantly compromise user security: 

• Session Persistence: Despite password changes, a user’s Google session remains valid, allowing persistent unauthorized access to various accounts linked to the compromised session, such as Gmail and other Google services. 
• Cookie Generation: Attackers can generate valid cookies if sessions are disrupted, providing them with an easy way to regain unauthorized access even after potential disruptions. 

Upon reverse engineering the exploit, security researchers traced its root cause to the undocumented MultiLogin endpoint. This endpoint accepts account IDs and authentication tokens, thereby allowing malicious actors to extract Chrome profile tokens and IDs.  

Lumma Stealer was the first malware strain to integrate this exploit on Nov. 14, 2023, announcing the feature’s integration with an advanced blackboxing approach. Subsequently, other malicious software like Rhadamanthys Stealer, Stealc, Medusa, RisePro and Whitesnake have also incorporated this vulnerability. Presently, at least six infostealers are known to exploit the Google OAuth MultiLogin API.  

Despite the severity of this vulnerability, Google has not yet confirmed the abuse of MultiLogin. The exploitation status and Google’s mitigation efforts remain unclear. 

What is Nuspire doing?

Nuspire, in response to these emerging threats, actively conducts threat hunts within client environments to detect signs of compromise by infostealers and other cyber threats. This proactive approach aims to identify and neutralize potential vulnerabilities before threat actors can exploit them. 

How should I protect myself from the Google OAuth Endpoint Vulnerability?

To protect against the Google OAuth endpoint vulnerability and similar threats, organizations and users should take several proactive measures: 

• Implement an EDR Solution: Employ an endpoint detection and response solution capable of detecting and blocking infostealers and other malicious activities. 
• User Awareness Training: Conduct regular training sessions to educate users about phishing techniques, as they remain a primary method for spreading infostealers and malware. 
• Least Privilege Principle: Enforce appropriate, business-driven, role-based access control policies to limit unnecessary access and reduce the attack surface. 
• Anomaly Monitoring: Continuously monitor for anomalies such as suspicious logins, brute-force attempts and unauthorized access attempts to swiftly identify potential threats. 
• Account Security Measures: If there’s suspicion of an account being compromised, or as a general precaution, sign out of all browser profiles to invalidate current session tokens. Reset passwords and sign back in to generate new tokens, thus enhancing account security. 

The exploitation of the Google OAuth Endpoint poses a significant threat to user security. Adopting a multi-layered security approach, including robust endpoint protection, user education, stringent access control policies, vigilant monitoring and swift response measures, is crucial to mitigating such risks and safeguarding against emerging cyber threats.