If you have ever used the "Log in with Google" feature to access a website or an app, you are likely familiar with a technology called OAuth. This technology lets you share your data and resources with other online services without giving away your password. Although OAuth is very convenient and widely used, it can pose some security risks if implemented improperly.
Recently, a group of cyber attackers discovered a way to exploit a hidden feature of Google's OAuth system to hijack user sessions and access their Gmail and other connected accounts. The attackers used a malware program to steal the tokens and IDs of logged-in Chrome users and manipulate them to generate valid cookies for Google services. These cookies allowed the attackers to maintain unauthorized access to the user accounts, even after the users changed their passwords.
The exploit was so clever and stealthy that it quickly spread among other malware groups, who adopted it to enhance their own infostealers. The exploit also bypassed Google's usual security measures to protect its users, such as IP-based restrictions and two-factor authentication.
Fortunately, a team of researchers uncovered the exploit and analyzed its mechanism. They reverse-engineered the malware samples and found out that the exploit relied on an undocumented Google OAuth endpoint called MultiLogin, which is responsible for synchronizing Google accounts across services. The researchers reported their findings to Google and alerted the public about the exploit.
The exploit demonstrated the increased sophistication and stealth of cyberattackers, who are constantly looking for new ways to compromise user data and accounts.
#ALTACyber
------------------------------
Genady Vishnevetsky
Chief Info Security Officer
Stewart Title Guaranty Company
Houston TX
------------------------------