Google Password Resets Not Enough To Stop These Info-Stealing Malware Strains (theregister.com) 13
Security researchers say info-stealing malware can still access
victims' compromised Google accounts even after passwords have been changed. From a report: A zero-day exploit of Google account security was first teased by a cybercriminal known as "PRISMA" in October 2023, boasting that the technique could be used to log back into a victim's account even after the password is changed. It can also be used to generate new session tokens to regain access to victims' emails, cloud storage, and more as necessary. Since then, developers of infostealer malware -- primarily targeting Windows, it seems -- have steadily implemented the exploit in their code. The total number of known malware families that abuse the vulnerability stands at six, including Lumma and Rhadamanthys, while Eternity Stealer is also working on an update to release in the near future.
Eggheads at CloudSEK say they found the root of the exploit to be in the undocumented Google OAuth endpoint "MultiLogin." The exploit revolves around stealing victims' session tokens. That is to say, malware first infects a person's PC -- typically via a malicious spam or a dodgy download, etc -- and then scours the machine for, among other things, web browser session cookies that can be used to log into accounts.
Eggheads at CloudSEK say they found the root of the exploit to be in the undocumented Google OAuth endpoint "MultiLogin." The exploit revolves around stealing victims' session tokens. That is to say, malware first infects a person's PC -- typically via a malicious spam or a dodgy download, etc -- and then scours the machine for, among other things, web browser session cookies that can be used to log into accounts.
Gmail sucks monkey balls. (Score:3)
Re:Geeks still running Windows? (Score:5, Interesting)
An AT&T account was broken into for my mom. I reset the password remotely, noticed several changes had been made. However even after changing the password my mom could still use her web mail, since she never logged out. A couple of weeks later it seemed like some other changes had been made, even with the extra security (ie, a PIN number). I am suspicious that the same reason was there - mom didn't need to know the new password since she had a cookie helding the session open, and the attacker once he had access also just had to keep a session open.
The more modern the web gets, the more it replicates ancient security holes. Web X.0 is all about writing code faster, and that means introducing bugs faster as well. Security is expensive and inconvenient and so is too often the first thing to be ignored.
Re: (Score:2)
False. Facebook invalidates all cookies and sessions when you change a password and makes you re-authorise *all* your devices and sessions; which becomes a real pain in the arse if you're the type of person to use Facebook logins for other services since all those are invalidated as well.
Re:Geeks still running Windowsingbre (Score:2)
Re: (Score:2)
The line for the geek card returns is over there.
Being totally ignorant (Score:5, Interesting)
That sounds like a obvious flaw: Using an old session token to demand a new session token. A bit like using a photo of Donald Trump to demand a new passport.
That sounds like 2 problems: 1) The always logged-in philosophy means there's always a valid session cookie to steal; 2) The session cookie is not stored in an encrypted form.
Re: (Score:2)
Re: (Score:3)
That sounds like a obvious flaw: Using an old session token to demand a new session token.
This seems fine to me. It's like using the old password in order to set a new password. But the new session token should invalidate all other session tokens. And therefore the server should check every request for an invalidated token.
2) The session cookie is not stored in an encrypted form.
One of the reasons I do not use Chromium is that it does not have a master password.
Change password AND.... (Score:3, Informative)
Re: (Score:3)