New malware restores cookies to break into your Google Account [U: Google responds]

A severe cookie related vulnerability that first involves malware exfiltrating files from Chrome looks to allow access to Google Accounts even after passwords are changed. Update 1/2/24 : Google is out with a response to the session token malware today. The company says it has “taken action to secure any compromised accounts detected,” and that the way to combat stolen sessions is by signing out — chrome://settings/ > “Turn off” — of the affected browser or device.

Original 12/29/23 : This is according to BleepingComputer and a writeup by CloudSEK and Hudson Rock. At a high level, this vulnerability requires malware to be installed on a desktop in order to “extract and decrypt login tokens stored within Google Chrome’s local database.” What’s attained is then used to send a request to a Google API – normally used by Chrome to sync accounts across different Google services – and create “stable and persistent Google cookies” responsible for authentication that can be used to access your account.

In this case, it’s not clear whether two factor authentication provides any protection. What’s most concerning is how this “restoration” process can be done multiple times if the victim never becomes aware that they’ve been compromised. Even worse is how even after a Google Account password reset, this exploit can be used one more time by the bad actor to get access to your account.

Multiple malware groups, six by BleepingComputer’s count, have access to this vulnerability and are selling it. This exploit was first advertised in mid November. Notably, some of these parties say they have already updated this vulnerability to combat the countermeasures Google has implemented. We’ve reached out to Google for more information.

In terms of immediate measures you can take, do not install software you’re not familiar with (as it could be malware). Kyle Bradshaw contributed to this post..