Security researchers have uncovered several malware campaigns abusing a Google OAuth endpoint to repeatedly generate session cookies, enabling persistent account hijacking even after victims change their passwords.
Stealing Cookies to Bypass Login
The attack relies on an undocumented Google OAuth 2.0 endpoint that allows generating cookies over and over, according to analysts from SafeBreach. By stealing these cookies, the attackers can silently take over Google accounts without needing passwords or multi-factor authentication approvals.
“This endpoint has been around for several years and allows obtaining a valid Google session cookie by only having access to the account’s email address. With the session cookie, the actor can access the target’s Google account,” the researchers said.
| Malware Families | Capabilities | Targets |
|---|---|---|
| RedLine Stealer | Cookie theft, screenshot capturing | Gaming platforms, crypto wallets |
| Vidar | Infostealing, backdooring | Online accounts, desktop files |
| Racoon Stealer | Credential harvesting, cookies theft | Browser data, online accounts |
At least three malware strains — Racoon Stealer, Vidar, and RedLine — have been found misusing the API to repeatedly generate authentication cookies so they can maintain access even after users change passwords.
The list also includes an unnamed infostealer malware that’s built explicitly to abuse the endpoint and hijack Google accounts using the harvested cookies.
Evading Password Changes
The findings come from a collaborative analysis published by Swiss cybersecurity company 4APT and forensics firm Prisma, who said the attackers not only leverage the stolen cookies to bypass two-factor authentication, but also deploy additional steps to evade traditional account recovery procedures.
“This allows [them] to bypass the 2FA approval process, and essentially log in without any prompts or warnings,” 4APT researchers said. “The implications, in this case, allow threat actors to bypass security warnings and notices, avoid detection whilst pilfering [victims’] Google account data and files in Google Drive.”
Furthermore, some of the malware instances reset account recovery options, such as backup phone numbers, to prevent victims from recovering access. They also enable data synchronization features to have real-time access to users’ data.
This could enable the crooks to harvest personal information from Google Drive or access private data shared by users with third-parties via email.
A Long-standing Issue
While this is the first time the blind spot has been actively exploited in the wild, issues with the API have been called out by others like NightLion Security CEO Alon Gal as early as 2018 for providing unlimited access without requiring any authorization on behalf of users.
The endpoint works by allowing developers to generate session cookies for a Google account by only specifying an email address, effectively removing the need to supply valid login credentials. But the tech giant never rolled out fixes.
“Google decided not to patch it as the attack vector requires the attacker to already know the user email address (which is not always public information),” 4APT said. Then earlier this December, software supply chain security company JFrog disclosed details of another flaw affecting Chrome for Android that permits cookies to be restored even after users log out of their Google accounts.
Impact on Billions of Google Users
With Google said to have over 3.5 billion users as of 2022, if left unaddressed, the weaknesses could result in threat actors gaining unfettered read/write access to Drive files and Gmail emails stored in Google Cloud.
“With access to the user’s Google Drive, the attackers could potentially obtain vast amounts of sensitive information,” said Etay Maor, chief cyber officer at cyber resilience company Cato Networks.
“These documents may include personally identifiable information, credentials, internal communications, source code, regulated data, secrets, keys, and tokens for cloud infrastructure – making this attack vector extremely severe,” Maor added.
What Lies Ahead?
While Google has yet to officially acknowledge, let alone address, the issues, it maintains that its abuse detection mechanisms have been updated to weed out suspicious activities stemming from this attack chain.
That said, with independent findings confirming active exploitation, it’s likely only a matter of time before long-term fixes are released considering the heightened risk it poses to user privacy and security.
“Users would do well to scrutinize account activity during this interim period before official mitigations land,” the researchers said. “For better privacy and security posture, we also recommend revoking account sessions periodically, setting up device-based 2FA instead of SMS and enabling enhanced safe browsing.”
Summary
The public disclosure that multiple malware operations are leveraging an undisclosed Google OAuth API to repeatedly generate session cookies for persistent account access highlights a serious oversight that threatens billions of Google users worldwide. Even after changing passwords, the stolen cookies grant unlimited authorization. While abuse protections and user safety recommendations provide temporary reprieve, the need for permanent fixes remains urgent to stem potential fallouts.
To err is human, but AI does it too. Whilst factual data is used in the production of these articles, the content is written entirely by AI. Double check any facts you intend to rely on with another source.
