Google Downplays Undocumented Chrome API Exploited by Malware to Extend Account Theft: Report
While Google downplays the severity, security experts raise alarms about the implications of this undocumented Chrome API vulnerability.
A simmering cyberwarfare saga just took a concerning turn, with researchers uncovering a novel technique employed by malware to prolong access to stolen Google accounts. While Google downplays the severity, security experts raise alarms about the implications of this undocumented Chrome API vulnerability.
Malware’s New Trick: In late November, reports emerged of malware like Lumma and Rhadamanthys reviving expired Google authentication cookies, essentially granting attackers persistent access to victims’ accounts. Now, this tactic has gained traction, with four more malware families including Stealc, Medusa, RisePro, and Whitesnake adopting the same method.
The Undocumented Weapon: The key to this extended breach lies in an obscure Google OAuth “MultiLogin” API endpoint, discovered by cybersecurity firm CloudSEK. This API, initially believed to sync accounts across Google services, seems vulnerable to manipulation.
Exploiting the Loophole: Researchers suspect malware abuses this API by stealing two crucial tokens from Chrome: regular authentication cookies and a special “Refresh” token. With the Refresh token, even after stolen cookies expire, the malware can generate new ones, perpetuating unauthorized access. This essentially extends the malware’s lifespan within targeted accounts.
Google’s Murky Response: BleepingComputer’s attempts to understand the MultiLogin API have been met with silence from Google. The only documentation exists within Chrome’s source code, leaving security experts and users in the dark about its intended purpose and potential vulnerabilities.
Concerns on the Rise: Security researchers like Pavan Karthick of CloudSEK are sounding the alarm. They highlight the ease with which malware exploits this undocumented API, granting attackers extended access to sensitive user data, including emails, documents, and contacts. Furthermore, the lack of transparency from Google regarding the purpose and security of this API only amplifies the concerns.
Beyond Technicalities: The…