An undocumented Google OAuth endpoint has been identified to be the root of the notorious info stealing exploit that is being widely implemented by various threat actors in their codes since it appeared in October 2023.
The critical exploit, which allows the generation of persistent Google cookies through token manipulation and enables continuous access to Google services even after a user’s password reset, was first revealed by a threat actor ‘Prisma’ on a Telegram channel.
Open Authentication (OAuth) is an open standard for access delegation, commonly used to enable secure access to resources without sharing user credentials. When a third-party application wants to access Google user data (such as Gmail, Google Calendar, or Google Drive), it redirects the user to Google’s OAuth authorization endpoint.
The exploit’s root is an undocumented Google Oauth endpoint named ‘MultiLogin,’ according to a new blogpost by CloudSEK, a cybersecurity intelligence company has been tracking the exploit. Using the Google OAuth endpoint in this way allows a session jacking exploit to renew expired authentication cookies and gain unauthorized access to a user’s active google services.
After the exploit was first teased on the telegram channel, it was reverse-engineered and incorporated into the Lumma InfoStealer malware. It has since been adopted by Rhadamanthys, Risepro, Meduza and Stealc Stealer, and White Snake, according to CloudSEK research.
CloudSEK analyzed the Chromium codebase and identified the MultiLogin endpoint which is used as an internal mechanism designed for synchronising Google accounts across services.
“This endpoint operates by accepting a vector of account IDs and auth-login tokens — data essential for managing simultaneous sessions or switching between user profiles seamlessly,” CloudSEK said in the blogpost. “While the MultiLogin feature plays a vital role in user authentication, it also presents an exploitable avenue if mishandled, as evidenced by recent malware developments.”
To confirm that a MultiLogin endpoint has been used to regenerate session cookies in the exploit, CloudSEK conversed with Prisma and reverse engineered the exploit executable provided by the threat actor. The study revealed the specific undocumented MultiLogin endpoint that was used in the exploit.
Password resets are not enough
The exploit is possible only after an initial hack into a user’s system to retrieve valid user session tokens. A malware initially infects a victim’s computer, often through methods like malicious spam or untrustworthy downloads. Once the system is compromised, the malware searches for web browser session cookies and other data that can be exploited to gain unauthorized access to accounts.
The pilfered session tokens are sent to the operators of the malware, allowing them to infiltrate and take control of the compromised accounts. Notably, even if users detect the breach and change their Google password, the stolen tokens can still be used for login. The malware extracts and decrypts account IDs and authentication tokens from active Google accounts by examining the token_service table in the WebData of Chrome, which it uses together with MultiLogin to continuously regenerate session information.
To mitigate this risk, users are advised to log out completely, thereby rendering the session tokens invalid and preventing further exploitation.
Lumma hid exploit with token encryption
In order to obfuscate its exploitation mechanism, Lumma encrypted the access token extracted from the token_service table: GAIA ID pair, a critical component in Google’s authentication process.
“This pair, when used in conjunction with the MultiLogin endpoint, enables the regeneration of Google service cookies,” CloudSEK said. “Lumma’s strategic innovation lies in the encryption of this token:GAIA ID pair with their proprietary private keys.”
The encryption was used as a “blackbox” mechanism that allowed Lumma to effectively mask its core mechanism from other malicious entities to keep them from duplicating it. However, to counteract Google’s IP-based restriction on cookie regeneration, Lumma turned to using socket secure (SOCKS) proxies from November 2023, which gave away some details of the requests and responses, resulting in compromising the obscurity.