An undocumented Google OAuth endpoint has been identified to be the root of the notorious info stealing exploit that is being widely implemented by various threat actors in their codes since it appeared in October 2023.
The critical exploit, which allows the generation of persistent Google cookies through token manipulation and enables continuous access to Google services even after a user’s password reset, was first revealed by a threat actor ‘Prisma’ on a Telegram channel.
Open Authentication (OAuth) is an open standard for access delegation, commonly used to enable secure access to resources without sharing user credentials. When a third-party application wants to access Google user data (such as Gmail, Google Calendar, or Google Drive), it redirects the user to Google’s OAuth authorization endpoint.
The exploit’s root is an undocumented Google Oauth endpoint named ‘MultiLogin,’ according to a new blogpost by CloudSEK, a cybersecurity intelligence company has been tracking the exploit. Using the Google OAuth endpoint in this way allows a session jacking exploit to renew expired authentication cookies and gain unauthorized access to a user’s active google services.
0 seconds of 15 secondsVolume 0%
After the exploit was first teased on the telegram channel, it was reverse-engineered and incorporated into the Lumma InfoStealer malware. It has since been adopted by Rhadamanthys, Risepro, Meduza and Stealc Stealer, and White Snake, according to CloudSEK research.
CloudSEK analyzed the Chromium codebase and identified the MultiLogin endpoint which is used as an internal mechanism designed for synchronising Google accounts across services.