Google password resets not enough to stop malware that recreates login tokens

A zero-day exploit of Google account security was first teased by a cybercriminal known as “PRISMA” in October 2023, boasting that the technique could be used to log back into a victim’s account even after the password is changed. It can also be used to generate new session tokens to regain access to victims’ emails, cloud storage, and more as necessary.

Since then, developers of info-stealer malware – primarily targeting Windows, it seems – have steadily implemented the exploit in their code. The total number of known malware families that abuse the vulnerability stands at six, including Lumma and Rhadamanthys, while Eternity Stealer is also working on an update to release in the near future.

They’re called info stealers because once they’re running on some poor sap’s computer, they go to work finding sensitive information – such as remote desktop credentials, website cookies, and cryptowallets – on the local host and leaking them to remote servers run by miscreants.

Eggheads at CloudSEK say they found the root of the Google account exploit to be in the undocumented Google OAuth endpoint “MultiLogin.”

The exploit revolves around stealing victims’ session tokens. That is to say, malware first infects a person’s PC – typically via a malicious spam or a dodgy download, etc – and then scours the machine for, among other things, web browser session cookies that can be used to log into accounts.

Those session tokens are then exfiltrated to the malware’s operators to enter and hijack those accounts. It turns out that these tokens can still be used to login even if the user realizes they’ve been compromised and change their Google password.

Here’s an important part: It appears users who’ve had their cookies stolen should log out entirely, and thus invalidate their session tokens, to prevent exploitation.


Reverse engineering the info-stealer malware revealed that the account IDs and auth-login tokens from logged-in Google accounts are taken from the token_service table of WebData in Chrome.

This table contains two columns crucial to the exploit’s functionality: service (contains a GAIA ID) and encrypted_token. The latter is decrypted using a key stored in Chrome’s Local State file, which resides in the UserData directory.

The stolen token:GAIA ID pairs can then be used together with MultiLogin to continually regenerate Google service cookies even after passwords have been reset, and those can be used to log in.


Google has confirmed that if you’ve had your session tokens stolen by local malware, don’t just change your password: log out to invalidate those cookies, and/or revoke access to compromised devices.


Source: Google password resets not enough to stop this malware • The Register

Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft