“This endpoint operates by accepting a vector of account IDs and auth-login tokens — information important for managing simultaneous classes or switching between consumer profiles seamlessly,” CloudSEK stated within the blogpost. “Whereas the MultiLogin function performs an important function in consumer authentication, it additionally presents an exploitable avenue if mishandled, as evidenced by latest malware developments.”
To substantiate {that a} MultiLogin endpoint has been used to regenerate session cookies within the exploit, CloudSEK conversed with Prisma and reverse engineered the exploit executable offered by the risk actor. The examine revealed the precise undocumented MultiLogin endpoint that was used within the exploit.
Password resets should not sufficient
The exploit is feasible solely after an preliminary hack right into a consumer’s system to retrieve legitimate consumer session tokens. A malware initially infects a sufferer’s pc, typically via strategies like malicious spam or untrustworthy downloads. As soon as the system is compromised, the malware searches for net browser session cookies and different information that may be exploited to realize unauthorized entry to accounts.
The pilfered session tokens are despatched to the operators of the malware, permitting them to infiltrate and take management of the compromised accounts. Notably, even when customers detect the breach and alter their Google password, the stolen tokens can nonetheless be used for login. The malware extracts and decrypts account IDs and authentication tokens from lively Google accounts by analyzing the token_service desk within the WebData of Chrome, which it makes use of along with MultiLogin to constantly regenerate session data.
To mitigate this danger, customers are suggested to sign off fully, thereby rendering the session tokens invalid and stopping additional exploitation.
Lumma hid exploit with token encryption
With a purpose to obfuscate its exploitation mechanism, Lumma encrypted the entry token extracted from the token_service desk: GAIA ID pair, a crucial element in Google’s authentication course of.
