While Google downplays the severity, security experts raise alarms about the implications of this undocumented Chrome API vulnerability.
A simmering cyberwarfare saga just took a concerning turn, with researchers uncovering a novel technique employed by malware to prolong access to stolen Google accounts. While Google downplays the severity, security experts raise alarms about the implications of this undocumented Chrome API vulnerability.
Malware’s New Trick: In late November, reports emerged of malware like Lumma and Rhadamanthys reviving expired Google authentication cookies, essentially granting attackers persistent access to victims’ accounts. Now, this tactic has gained traction, with four more malware families including Stealc, Medusa, RisePro, and Whitesnake adopting the same method.
The Undocumented Weapon: The key to this extended breach lies in an obscure Google OAuth “MultiLogin” API endpoint, discovered by cybersecurity firm CloudSEK. This API, initially believed to sync accounts across Google services, seems vulnerable to manipulation.
Exploiting the Loophole: Researchers suspect malware abuses this API by stealing two crucial tokens from Chrome: regular authentication cookies and a special “Refresh” token. With the Refresh token, even after stolen cookies expire, the malware can generate new ones, perpetuating unauthorized access. This essentially extends the malware’s lifespan within targeted accounts.
Google’s Murky Response: BleepingComputer’s attempts to understand the MultiLogin API have been met with silence from Google. The only documentation exists within Chrome’s source code, leaving security experts and users in the dark about its intended purpose and potential vulnerabilities.
Concerns on the Rise: Security researchers like Pavan Karthick of CloudSEK are sounding the alarm. They highlight the ease with which malware exploits this undocumented API, granting attackers extended access to sensitive user data, including emails, documents, and contacts. Furthermore, the lack of transparency from Google regarding the purpose and security of this API only amplifies the concerns.
Beyond Technicalities: The implications of this exploit extend beyond technical fixes. It raises questions about Google’s responsibility in securing user data and the potential consequences of undocumented APIs. The incident also showcases the evolving tactics of cybercriminals, constantly seeking new ways to circumvent security measures.
What Lies Ahead? While Google downplays the issue, claiming it’s not technically an API loophole, security experts urge caution. They recommend users regularly update Chrome and remain vigilant against suspicious browser activity. Google, on the other hand, needs to address the concerns surrounding the MultiLogin API, either by patching its vulnerabilities or providing proper documentation and security protocols.
A Call for Transparency: This incident underscores the importance of transparency in tech giants like Google. Users deserve to know how their data is handled and protected, especially when obscure functionalities within popular software like Chrome pose potential security risks. Moving forward, open communication and responsible development practices are key to securing user trust and preventing similar vulnerabilities from being exploited.
