PRISMA's Cat and Mouse Game - Cracking Google's MultiLogin Mystery

CloudSEK, a cyber security firm, found a sneaky way hackers can mess with Google accounts, and it's a bit of a head-scratcher. This method lets them stay logged in, even after changing the password. Sounds wild, right?

For starters, Google uses a system called OAuth2 for keeping things secure. It's like a fancy bouncer at a club, making sure only the right people get in. But these hackers, led by someone calling themselves PRISMA, figured out a trick to keep the party going.

They found a secret spot in Google's system, a hidden door called "MultiLogin." It's a tool Google uses to sync accounts across different services. The hacker PRISMA exploited this door, creating a malware called Lumma Infostealer to do the dirty work.

Now, the clever part is, even if you change your passwords, these hackers can keep sipping on their virtual cocktails. The malware they created knows how to regenerate these secret codes, called cookies, that Google uses to verify who you are.

CloudSEK's researchers say this is a serious threat. The hackers aren't just sneaking in once—they're setting up camp. Even if you kick them out by changing your password, they still have a way back in. It's like changing the locks on your front door, but they somehow still have a secret master key.

Researchers tried reaching out to Google to spill the beans, but so far, it's been crickets. No word from the tech giant on how they plan to deal with this sneaky hack.

So, here we are, in a world where even resetting your password might not be enough to kick out the virtual party crashers. Stay tuned to see how Google responds to this unexpected security hiccup.

Update: Google has responded to the "not new" session token malware issue and assured users that it has taken action to protect compromised accounts. The tech giant also wants to address a misconception, as some reports suggesting that users cannot revoke stolen tokens and cookies. This information is inaccurate; users can invalidate stolen sessions by simply signing out of the affected browser or by remotely revoking access through the user's devices page. Google recommends enabling Enhanced Safe Browsing in Chrome as an additional measure to protect against phishing and malware downloads.

Exploit utilizes Google's MultiLogin endpoint, enabling malware (Lumma Infostealer) to regenerate cookies, providing continued unauthorized access.

Read next: Researchers Suggest Innovative Methods To Enhance Security And Privacy For Apple’s AirTag
Previous Post Next Post