We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Google Endpoint Exploit Lets Hackers Hijack Accounts

Google Endpoint Exploit Lets Hackers Hijack Accounts
Author Image Zane Kennedy
Zane Kennedy Published on 3rd January 2024 Cybersecurity Researcher

In a troubling development in cybersecurity, multiple information-stealing malware families have been found exploiting an undocumented Google OAuth endpoint, identified as "MultiLogin," to regenerate expired authentication cookies. This discovery, initially made by a developer named PRISMA in October 2023, presents a significant threat to Google account security.

Hudson Rock’s Alon Gal was the first to discover this vulnerability being allegedly leveraged, after exploitation of it was added to the feature list of an info-stealer malware called Lumma. While it is not certain as of yet whether this functionality works, it has been found to have been implemented in other information stealer malware since. BleepingComputer reported that the exploit had been adopted in the malware Rhadamanthys, Risepro, Meduza, Stealc Stealer, and possibly more.

This exploit is particularly alarming because session cookies, which should have a limited lifespan for security, could be manipulated for prolonged unauthorized access. It can even work after users have reset the password on their Google account.

The malware involved rely on Chrome’s token_service table of WebData, targeting tokens and account IDs of Chrome profiles. Once extracted, the encrypted tokens are decrypted using a key stored in Chrome's Local State. This same key is also employed for decrypting saved passwords in browsers, adding another layer of vulnerability.

Researchers at CloudSEK reverse-engineered the exploit and discovered its dependence on an undocumented "MultiLogin" endpoint. This endpoint is a part of Google's internal mechanism designed for synchronizing Google accounts across services. It handles account IDs and auth-login tokens for managing concurrent sessions or transitioning between user profiles. The exploit uses this endpoint to regenerate Google service cookies by manipulating the token:GAIA ID pair.

Despite multiple attempts by BleepingComputer and Hudson Rock to alert Google about this ongoing exploit, there has been no official response from the tech giant.

Adding to the complexity, the malware developers continuously update their methods to bypass Google's mitigations. For instance, Lumma's developers recently released an update to counteract new measures imposed by Google, This suggests Google is aware of the exploit but has yet to address it fully.

As the exploit becomes increasingly widespread among various infostealer groups, the urgency for a robust solution from Google intensifies. Until then, users are advised to exercise caution, particularly in downloading files from dubious sources, and to remain vigilant in monitoring their account activities. The cybersecurity community remains watchful, awaiting Google's response to this significant challenge to its security infrastructure.

About the Author

Zane is a Cybersecurity Researcher and Writer at vpnMentor. His extensive experience in the tech and cybersecurity industries provides readers with accurate and trustworthy news stories and articles. He aims to help individuals protect themselves through informative content and awareness of cybersecurity's crucial role in today's digital landscape.