Security researchers recently warned of new malware capable of reviving expired authentication tokens via a Google Chrome API.
The feature is a one-off, but still dangerous as it allows threat actors to remain logged into their victims’ Google accounts for longer.
However Google is now looking to downplay the importance of the vulnerability, essentially stating it’s no more than simple session cookie theft.
Vulnerability, or is it?
In a statement shared with BleepingComputer, the search engine giant said: “Google is aware of recent reports of a malware family stealing session tokens. Attacks involving malware that steal cookies and tokens are not new; we routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.”
Citing people familiar with the matter, the publication further stated that Google doesn’t really see this as a vulnerability, and instead believes the API works as intended. The search engine behemoth advised users to log out of their Chrome browser and kill all active sessions via g.co/mydevices, as that will invalidate the Refresh token.
“In the meantime, users should continually take steps to remove any malware from their computer, and we recommend turning on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads,” Google added.
The advice is sound, but this is something people rarely do proactively, and by the time they’re infected with malware, it’s already too late.
In late November 2023, cybersecurity researchers from Hudson Rock warned that the latest version of the Lumma infostealer was observed being able to restore expired Google cookies. The team discovered an ad for the feature posted on a dark web forum which said that the version released on November 14 can “restore dead cookies using a key from restore files.” The ad further stresses that this only applies to Google cookies.