Dangerous new malware uses cookies to break into Google accounts

Signing out and resetting passwords doesn’t deter the hackers

Readers like you help support Android Police. When you make a purchase using links on our site, we may earn an affiliate commission. Read More.

Read update

• Statement from Google and updated advice to protect your account

Summary

• Google Chrome is cracking down on third-party cookies, but a recent cookie vulnerability puts Google accounts at risk, even if passwords are changed.
• Hackers can exploit session cookies used for user authentication to gain unauthorized access to Google accounts, bypassing passwords entirely.
• The session cookies are a zero-day vulnerability being actively exploited by at least six malware groups.

Browser cookies give the web browser an ability to remember what you do on websites, such as the items added to a shopping cart, data filled in forms, and login status. However, these very cookies also give dangerous malware inroads to your personal information and banking details. While Google Chrome is coming down heavily on third-party cookies, a recently discovered cookie vulnerability leaves Google accounts vulnerable even if you change your passwords, and at least six malware groups are actively selling this exploit.

Typically, cookies can read site data, and are stored on your device which has the web browser installed. However, if bad actors gain access to your machine and its files with a trojan or other malware, they can use an info stealer to use these cookies to siphon off your personal information as well. In a recent exploit detailed by Bleeping Computer, hackers tried restoring session cookies used to store user authentication information. As the name suggests, session cookies are typically stored temporarily, and they make it easy to log in without entering your username and password every time (via 9to5Google).

Google uses these cookies to save login credentials when you sign in to your account. Now, a zero-day exploit allows cybercriminals to retrieve these session cookies and gain unauthorized access to user accounts. The dangers of such misuse are significant because these cookies bypass passwords and two-factor authentication typically used to secure Google accounts. This means hackers can sign in to accounts even if the real user resets their password or signs out.

First revealed in October 2023 by a bad actor who goes by PRISMA, this vulnerability was reverse-engineered by CloudSek researchers. They successfully revived Google authentication cookies which should have expired with the session. On the bright side, cookie regeneration only works once if you reset your password, but there’s no limit on regeneration.

Meanwhile, Google seems to be at work fixing the issue because one of the malware developers exploiting this vulnerability issued an update to bypass Google’s countermeasures. In a statement issued to 9to5Google, the company acknowledged the vulnerability and said it is taking action to restore the security of any accounts which may have been compromised by stolen cookies. You can also protect your account by signing out on an affected device, Google says. That's because signing out invalidates the tokens associated with the cookies hackers could steal, rendering said cookies useless. The company writes,

Google is aware of recent reports of a malware family stealing session tokens. Attacks involving malware that steal cookies and tokens are not new; we routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.
However, it’s important to note a misconception in reports that suggests stolen tokens and cookies cannot be revoked by the user. This is incorrect, as stolen sessions can be invalidated by simply signing out of the affected browser, or remotely revoked via the user’s devices page. We will continue to monitor the situation and provide updates as needed.
In the meantime, users should continually take steps to remove any malware from their computer, and we recommend turning on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads.

These session cookies are a zero-day vulnerability being exploited by at least six malware developers actively. So, there’s no immediate way to know if you’ve been compromised in such an attack. To protect against such attacks, we strongly advise you to clear your browser cookies and unlink your Google account from devices you don't use frequently. If you use Google Chrome and you notice any abnormal activity on your Google account, do not hesitate to change your password immediately.

UPDATE: 2024/01/03 17:36 EST BY CHANDRAVEER MATHUR

Statement from Google and updated advice to protect your account

We have updated the article with Google's statement on the matter, and clarified that hackers would need to gain access to your device before they can use cookie stealer malware.