Tag Archive for: accounts

Hackers discover way to access Google accounts without a password

/in


Security researchers have uncovered a hack that allows cyber criminals to gain access to people’s Google accounts without needing their passwords.

Analysis from security firm CloudSEK found that a dangerous form of malware uses third-party cookies to gain unauthorised access to people’s private data, and is already being actively tested by hacking groups.

The exploit was first revealed in October 2023 when a hacker posted about it in a channel on the messaging platform Telegram.

The post noted how accounts could be compromised through a vulnerability with cookies, which are used by websites and browsers to track users and increase their efficiency and usability.

Google authentification cookies allow users to access their accounts without constantly having to enter their login details, however the hackers found a way to retrieve these cookies in order to bypass two-factor authentication.

The Google Chrome web browser, which is the world’s most popular with a market share greater than 60 per cent last year, is currently in the process of cracking down on third-party cookies.

“We routinely upgrade our defences against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected,” Google said in a statement.

“Users should continually take steps to remove any malware from their computer, and we recommend turning on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads.”

The researchers who first uncovered the threat said it “underscores the complexity and stealth” of modern cyber attack.

“This exploit enables continuous access to Google services, even after a user’s password is reset,” Pavan Karthick M, a threat intelligence researcher at CloudSEK, wrote in a blog post detailing the issue.

“It highlights the necessity for continuous monitoring of both technical vulnerabilities and human intelligence sources to stay ahead of emerging cyber threats.”

The security issue was detailed in a report, titled ‘Compromising Google accounts:…

Source…

Chrome Browser Alert! This Cookie Malware Can Access Your Google Accounts Even If You Reset Password, Log Out; Details

/in


Online threats and malware can be tough to track in the rapidly evolving digital world. As these dangers replicate in the internet landscape, a new data-stealing malware, which abuses Google’s OAuth endpoint called ‘MultiLogin’ to revive expired cookies and sign in to user accounts is among the new concerns, according to a report from BleepingComputer. This works even after you reset an account’s password or log out from the internet browser.

For the unaware, session cookies store authentication details of an account that lets users log in to websites automatically next time without entering the sign-in credentials. They have an expiration period to limit their misuse by bad actors, such as stealing access to user accounts. The news outlet earlier reported about information-stealers that could restore access to expired authentication cookies last month.

Also Read: Google Is Taking Scammers To Court For Creating Malware Copies Of Bard, Exploiting Businesses Via Hoax Copyright Claims

Such malware allows a cybercriminal to access Google accounts even if the victim has logged out, changed their password or reached session expiry. According to a new report from CloudSEK, it was first chased by threat actor PRISMA in October, who posted about the exploit on the messaging platform Telegram. As per the researchers, the exploit uses the Google OAuth endpoint that synchronises accounts across Google services.

The session cookie can be regenerated only once if a user changes their password.(Image:Canva/peshkov from Getty Images)

The malware abuses the endpoint to extract tokens and accounts of Chrome profiles logged into a Google account. Later, this data (including saved passwords) is decrypted to extract information. With the stolen token, the cybercriminals regenerate the cookie and can ensure continuous access to these accounts.

Also Read: FB Account Hacking Malware Targeting Indian HRs, Digital Marketers Via ‘Google Docs Offline’ Extension; Safety Tips

CloudSek Researcher Pavan Karthick told BleepingComputer that the cookie can be regenerated only once if a user changes their password. In other cases, it can be refreshed multiple times. According to the report, a minimum of…

Source…

How I Survived Hackers Locking My Accounts, Stealing $4,000

/in


One day in late September, I woke up to an alarming text from my investment adviser, saying he had replied to the email I’d sent him. Problem was, I hadn’t sent him an email. Muttering expletives, I hurriedly checked online and saw that someone had logged in to my investment account and transferred out $4,000. I’d been hacked and robbed.

Up to then, I had felt safe from the scourges of phishing attacks and fraud, as I considered myself a savvy internet traveler. But it quickly became clear that cyberthieves were far more savvy than me. Within days, I was facing a full-on assault from online thieves.

Even before the $4,000 was stolen, I’d noticed unusual activity in my accounts. I had received fraud alerts on two credit cards within minutes, both of which I canceled.

Now, knowing the attack was real, I checked my online account at a large retail chain. Two smartphones were in the shopping cart, to be shipped to a sketchy mail drop point in Reisterstown, Maryland, a locale I’d never visited. My digital wallet had a Bancorp Bank credit card, which I hadn’t ordered. Did hackers have all my passwords?

Next, I discovered that my Amazon account had been locked due to suspicious activity. I hadn’t received any notifications from Amazon, so I called customer service. A smart representative advised me to check my email account and look at any filters that had been set up. As he suspected, hackers had blocked all emails from Amazon or my bank. This meant the hackers had not only my Amazon password but my email password too.

I suspected my computer might have malware, but two programs showed it was clean. My computer consultant mentioned that he’d once been hacked through his router, which he told me was the most vulnerable part of a home network, so I changed the router password and the Wi-Fi password too.

Next step was the time-consuming project of changing dozens of website passwords, one by one. When I opened my password manager and…

Source…

Google accounts may be vulnerable to new hack, changing password won’t help

/in


A new method allegedly enables hackers to exploit authorization protocol OAuth2 functionality to compromise Google accounts and maintain valid sessions by regenerating cookies despite IP or password reset.

According to security firm CloudSEK, a threat actor under the alias PRISMA boasted a potent zero-day exploit and developed a sophisticated solution to generate persistent Google cookies through token manipulation.

“This exploit enables continuous access to Google services, even after a user’s password reset,” the report reads.

OAuth 2.0 stands for “Open Authorization 2.0” and is a widely used protocol for securing and authorizing access to resources on the internet. It makes verifying user identity easy by tapping into their social media accounts, such as Google or Facebook.

CloudSEK’s threat research team identified the exploit’s root at an undocumented Google Oauth endpoint named “MultiLogin.” This is an internal mechanism designed for synchronizing Google accounts across services, which ensures that browser account states align with Google’s authentication cookies.

The developer of the exploit “expressed openness to cooperation,” which accelerated the discovery of the endpoint responsible for regenerating the cookies.

The exploit, incorporated in a malware called Lumma Infostealer on November 14th, boasts two key features: session persistence and cookie generation. To exfiltrate the required secrets, tokens, and account IDs, the malware targets Chrome’s token_service table of WebData of logged-in Chrome profiles.

“The session remains valid even when the account password is changed, providing a unique advantage in bypassing typical security measures,” the report quotes PRISMA. “The capability to generate valid cookies in the event of a session disruption enhances the attacker’s ability to maintain unauthorized access.”

Researchers noted a concerning trend of rapid exploit integration among various Infostealer groups. They think the exploitation of undocumented Google OAuth2 MultiLogin endpoint provides a textbook example of sophistication, as the approach hinges on a nuanced manipulation of the GAIA ID (Google Accounts and ID…

Source…