Google Responds to Detection of Session Token Malware Capable of Hijacking Accounts: Report

[Pelican Press 0]

This is the hidden content, please

• Sign In
• or
• Sign Up

Responds to Detection of Session Token Malware Capable of ********** Accounts: Report

Malware designed to steal information from users and ******* their

This is the hidden content, please

• Sign In
• or
• Sign Up

accounts is being exploited by multiple malicious groups — even after a password has been reset — according to security researchers. The exploit is reportedly aimed at Windows computers. Once the device is infected, it uses a technique used by “info stealers” to exfiltrate the login session token — assigned to a user’s computer when they log in to their account — and upload it to the cybercriminal’s server.

According to a

This is the hidden content, please

• Sign In
• or
• Sign Up

published by researchers at CloudSEK, the malware was first launched by threat group PRISMA in October 2023, and uses the search giant’s OAuth endpoint called MultiLogin that is used by

This is the hidden content, please

• Sign In
• or
• Sign Up

to allow users to switch between user profiles on the same browser or use multiple login sessions simultaneously. The malware uses auth-login tokens from a user’s

This is the hidden content, please

• Sign In
• or
• Sign Up

accounts that are logged in on the computer. The necessary details are decrypted with the help of a key that is stolen from the UserData folder in Windows, as per the report.

Using the stolen login session tokens, malicious users can even regenerate an authentication cookie to log in to a user’s account after it has expired — it can even be reset once, when a user changes their password. As a result, the malware operators can retain access to a user’s account. Threat intelligence group Hudson Rock has provided a demonstration of the flaw being exploited.

 

Meanwhile, BleepingComputer

This is the hidden content, please

• Sign In
• or
• Sign Up

that various malware creators have already started to use the exploit to gain access to user data — on November 14, the Lumma stealer was updated to take advantage of the flaw, followed by Rhadamanthys (November 17), Stealc (December 1), Medusa (December 11), RisePro (December 12), and Whitesnake (December 26).

In a

This is the hidden content, please

• Sign In
• or
• Sign Up

to 9to5Google, the search giant said that it routinely upgraded its defences against the techniques used by malware, and that compromised accounts detected by the company have been secured.

This is the hidden content, please

• Sign In
• or
• Sign Up

also points out that users can revoke or invalidate the stolen session tokens by either logging out of the browser on a device that has been infected with the malware, or by accessing their

This is the hidden content, please

• Sign In
• or
• Sign Up

in their account settings and remotely sign out of those sessions. Users can also scan their computers for malware and enable the Enhanced Safe Browsing setting in

This is the hidden content, please

• Sign In
• or
• Sign Up

Chrome to avoid downloading malware to their computers, according to the company.

---

Affiliate links may be automatically generated – see our ethics statement for details.

This is the hidden content, please

• Sign In
• or
• Sign Up

This is the hidden content, please

• Sign In
• or
• Sign Up

response malware revive cookies ******* accounts

This is the hidden content, please

• Sign In
• or
• Sign Up

,malware,prisma,

This is the hidden content, please

• Sign In
• or
• Sign Up

account
#

This is the hidden content, please

• Sign In
• or
• Sign Up

#Responds #Detection #Session #Token #Malware #Capable #********** #Accounts #Report

This is the hidden content, please

• Sign In
• or
• Sign Up