Google releases a statement as highly exploited Chromium bug traced

Reading time icon 2 min. read

Readers help support MSPoweruser. When you make a purchase using links on our site, we may earn an affiliate commission. Tooltip Icon

Read the affiliate disclosure page to find out how can you help MSPoweruser effortlessly and without spending any money. Read more

Security researchers have identified a potential vulnerability in Google’s authentication process that could allow attackers to access user accounts, even after password changes. The vulnerability, discovered by threat intelligence firm CloudSEK, involves the undocumented MultiLogin endpoint and stolen account IDs and tokens from Chrome.

The details of the vulnerability and its extent are still under investigation. Initial reports suggest information stealers have exploited this vulnerability for over a month. These malware programs target Chrome browser data to retrieve account IDs and tokens, which are then used with the MultiLogin endpoint to regenerate Google cookies and gain persistent access to accounts.

While the full range of affected accounts remains unclear, the potential impact is significant. This vulnerability could potentially target various Google services, including Gmail, Drive, and Photos, exposing sensitive user data and posing risks for personal and professional accounts.

Although password changes are typically effective security measures, this vulnerability bypasses them, raising concerns about prolonged unauthorized access. CloudSEK emphasized the situation’s critical nature and notified Google of the issue.

Here is the statement by Google as reported by SecurityWeek:

Google is aware of recent reports of a malware family stealing session tokens. Attacks involving malware that steal cookies and tokens are not new; we routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected. 

However, it’s important to note a misconception in reports that suggests stolen tokens and cookies cannot be revoked by the user. This is incorrect, as stolen sessions can be invalidated by simply signing out of the affected browser or remotely revoked via the user’s devices page. We will continue to monitor the situation and provide updates as needed.

In the meantime, users should continually take steps to remove any malware from their computer, and we recommend turning on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads.

This is a serious vulnerability that could have widespread implications for Google users. It’s important to be aware of the risks and take steps to protect yourself.

More about the topics: cyber security, google