Tuesday December 03, 2024

Advisory ID: ngCERT-2024-0001

Summary: Security researchers uncovered a new technique used by cyber criminals to hack into people' Google accounts without requiring their passwords. Google accounts are potentially exposed due to authentication cookies that bypass two-factor authentication. In this hack, criminals employ malware to gain access to Google accounts without requiring any passwords. According to the findings, the malware uses third-party cookies to gain access to private information from affected accounts. Furthermore, the new weakness allows hackers to access Google services even after a user's password has been reset. However, Chrome is currently cracking down on third-party cookies.

Damage/Probability: CRTICAL/HIGH

Description: This attack exploits a major weakness in the cookie generating process. During an attack, hackers use session persistence techniques to keep their sessions valid despite changes in credentials. This is due to a weakness in cookies, which are used by websites and browsers to track users and improve their efficiency and functionality. Google authentication cookies enable users to access their accounts without repeatedly inputting their login information. However, hackers identified a technique to extract these cookies and bypass two-factor authentication. This exploit allows for continued access to Google services, even when a user's password is reset. The vulnerability was first put into the Lumma Infostealer malware, which was thereafter adopted by the Rhadamanthys, Risepro, Meduza, Stealc Stealer, white snake and eternity stealer malwares.

They target Chrome's token_service WebData table to collect tokens and account IDs from logged-in chrome profiles. The encrypted tokens are decoded using an encryption key saved in Chrome's Local State within the UserData directory, just like passwords. The attack strategy is based on a subtle alteration of the token:GAIA ID pair, a vital component in Google's authentication process. This pair, when used with the MultiLogin endpoint, allows Google service cookies to be regenerated. This strategic innovation is based on the encryption of the token:GAIA ID pair and their own private keys. By doing so, they essentially 'blackbox' the exploitation process, keeping the core mechanics of the hack hidden.

Consequences: Successful exploitation will result to the following:

  • Attackers can gain session persistence even when the account password is changed by bypassing typical security measures.
  • Attacker's ability to maintain unauthorized access can be enhanced with the capability to generate valid cookies in the event of a session disruption.
  • The criminals can also steal and exfiltrate sensitive data from a compromised account.
  • The criminals can steal user’s identity to conduct other nefarious activities

Solution: It is therefore recommended that:

  • Users should continually take steps to protect and remove any malware from their computers using a reliable anti-malware software.
  • Users should turn on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads.
  • Users should avoid accepting third-party cookies from untrusted websites.
  • If a user suspect that account may have been compromised, or as a general precaution, sign out of all browser profiles to invalidate the current session tokens. Following this, reset your password and sign back in to generate new tokens. Resetting your password effectively disrupts unauthorized access by invalidating the old tokens which the infostealers rely on, thus providing a crucial barrier to the continuation of their exploit.
  • Users should always update their web browsers immediately there is an update notification.

References: