CloudSEK, a cybersecurity company, recently reported that the malware group PRISMA claims to have a special feature that allows them to reuse stolen Google login cookies, even after the account owner has reset their password and logged out.
CloudSEK discovered that PRISMA takes advantage of Google’s own login system, specifically the special API, https://accounts.google.com/oauth/multilogin, that supports multi-account logins. By leveraging login tokens, users can send requests and obtain cookies to access various Google services.
Normally, if users suspect that they are affected by malware or their login information is compromised, the original login tokens should be invalidated. However, this vulnerability has been reported in online chat communities since October, where malicious entities have been able to exploit the tokens that should no longer be valid. As a result, various malware groups have increasingly utilized this loophole. Although Google has not specifically acknowledged this vulnerability, the malware Lumma has mentioned implementing additional security measures to protect against potential bans from Google, suggesting that Google may be aware of the exploitation of this vulnerability.
TLDR: CloudSEK has revealed that the malware group PRISMA can reuse stolen Google login cookies, even after the account owner has reset their password. This is possible due to a vulnerability in Google’s login system that enables multi-account logins. Despite not publicly acknowledging the vulnerability, Google may be aware of the issue as mentioned by the malware group Lumma, which implemented additional security measures to prevent potential bans.
Leave a Comment