The exploitation of an undocumented Google OAuth endpoint, MultiLogin, by various information-stealing malware strains has raised significant concerns within the cybersecurity landscape. This critical vulnerability, discovered by security researchers following a disclosure on Telegram by a threat actor known as Prisma on Oct. 20, 2023, poses a substantial risk to user sessions and account security.
The exploit leverages the MultiLogin API, originally designed for syncing Google accounts, to manipulate tokens to enable the regeneration of expired authentication cookies. This manipulation leads to two notable features that significantly compromise user security:
Upon reverse engineering the exploit, security researchers traced its root cause to the undocumented MultiLogin endpoint. This endpoint accepts account IDs and authentication tokens, thereby allowing malicious actors to extract Chrome profile tokens and IDs.
Lumma Stealer was the first malware strain to integrate this exploit on Nov. 14, 2023, announcing the feature’s integration with an advanced blackboxing approach. Subsequently, other malicious software like Rhadamanthys Stealer, Stealc, Medusa, RisePro and Whitesnake have also incorporated this vulnerability. Presently, at least six infostealers are known to exploit the Google OAuth MultiLogin API.
Despite the severity of this vulnerability, Google has not yet confirmed the abuse of MultiLogin. The exploitation status and Google’s mitigation efforts remain unclear.
Nuspire, in response to these emerging threats, actively conducts threat hunts within client environments to detect signs of compromise by infostealers and other cyber threats. This proactive approach aims to identify and neutralize potential vulnerabilities before threat actors can exploit them.
To protect against the Google OAuth endpoint vulnerability and similar threats, organizations and users should take several proactive measures:
The exploitation of the Google OAuth Endpoint poses a significant threat to user security. Adopting a multi-layered security approach, including robust endpoint protection, user education, stringent access control policies, vigilant monitoring and swift response measures, is crucial to mitigating such risks and safeguarding against emerging cyber threats.