In a concerning development, security researchers have uncovered that info-stealing malware can still gain access to compromised Google accounts, even after users have changed their passwords. This exploit, which was initially introduced by a cybercriminal named "PRISMA" in October 2023, has since been adopted by several malware families, with at least six known instances taking advantage of the vulnerability. Among them are Lumma and Rhadamanthys, while Eternity Stealer is set to release an update in the near future.

According to experts at CloudSEK, the root of the exploit lies in an undocumented Google OAuth endpoint called "MultiLogin." This endpoint, responsible for synchronizing Google accounts across different services, unwittingly became a gateway for malicious activity. Exploiting this weakness, the malware focuses on stealing users' session tokens, enabling unauthorized access to accounts.

The path to accessing these tokens involves malware infecting a user's PC, typically through spam emails or malicious downloads. Once inside, the malware scours the system for web browser session cookies, including those containing valuable login information. While session cookies are intended to expire regularly, recent incidents, such as the Okta breach in October, have shown that hijacking sessions is a viable and potentially devastating method.

Upon extracting the session tokens, the malware operators can exploit a flaw in the system: the tokens remain viable even after users change their Google passwords. To prevent exploitation, it is recommended that users log out entirely, rendering their session tokens invalid.

The infostealer malware, upon analysis, revealed that the stolen account IDs and auth-login tokens are derived from the token_service table of WebData in Chrome. Specifically, the exploit revolves around the service column, which contains a GAIA ID, and the encrypted_token column. The encrypted token is decrypted using a key stored in Chrome's Local State file, housed in the UserData directory.

By using MultiLogin in conjunction with the stolen token:GAIA ID pairs, the malware can continuously generate Google service cookies, facilitating unauthorized logins even after passwords have been reset.

As the number of malware families exploiting this vulnerability continues to grow, it is imperative for users to remain vigilant and take additional security measures. Logging out entirely from Google accounts is crucial to invalidate any potentially compromised session tokens and mitigate the risk of exploitation.

Google has been alerted to this ongoing issue, and it is expected that they will work swiftly to address this vulnerability and enhance the security of their OAuth framework. In the meantime, users are advised to exercise caution when handling suspicious emails or downloading unknown files to minimize the risk of falling victim to infostealer malware.

As the threat evolves, cybersecurity experts will continue their efforts to detect and mitigate the impact of these exploits, working towards a safer online environment for all users.