Hackers exploit expired browser cookies to break into Google accounts

When browsing websites, we often get requests to accept or decline cookies. Generally, these cookies are designed to be beneficial and have a limited lifespan. They help the browser remember items in the user’s shopping cart or keep them logged in on websites, enhancing browsing experience. Unfortunately, a recent report from cyber security firm CloudSEK found that a dangerous form of malware uses third-party cookies (in Google Chrome) to gain unauthorized access to people's private data and is already being actively tested by hacking groups. 

Put simply, this exploit means that hackers can use your expired browser cookies to bypass two-factor authentication and gain access to your Google account, making inroads to your personal information and banking details.

The exploit was first revealed by a threat actor named PRISMA on October 20, 2023, who posted on Telegram that they discovered a way to restore expired Google authentication cookies. After reverse engineering the exploit, CloudSEK discovered it uses an undocumented Google OAuth endpoint named "MultiLogin," which is intended for synchronizing accounts across different Google services by accepting a vector of account IDs and auth-login tokens. 

In November, the cybercriminals behind the Lumma and Rhadamanthys info-stealing malware strains claimed that they were able to restore expired Google Authentication cookies that were stolen in cyber-attacks. That said, “a hacker can gain unauthorized access to your Google account even after you’ve logged out, reset your password or their session has expired,” wrote Pavan Karthick M, a threat intelligence researcher at CloudSEK, in a blog post detailing the issue. 

These session cookies are a zero-day vulnerability being exploited by at least six malware developers actively. So, there’s no immediate way to know if you’ve been compromised in such an attack. Karthick emphasized that this kind of attack highlights the need for continuous monitoring of both technical vulnerabilities and human intelligence sources to stay ahead of emerging cyber threats. 

Google Chrome is the world's most popular web browser with a market share of over 60% last year. Google acknowledged the vulnerability and said it is currently cracking down on third-party cookies. You can also protect your account by signing out on an affected device, it said. The company also recommended that users continually remove any malware from their computers and enable ‘enhanced safe browsing’ in Chrome to protect against phishing and malware downloads. 

This is also not the first time that vulnerabilities were found in Google Chrome web browser. The Indian Computer Emergency Response Team (CERT-In) issued a high severity rating warning in October of multiple vulnerabilities in internet browser Google Chrome. The national nodal agency for cybercrimes also outlined the various gaps in the browser that can be exploited by hackers or other cyber criminals.