Tech/Science

Google’s Surprising Security Advice for Gmail Users

Google Offers Surprising Security Advice for Gmail Users

Have you tried turning it off and on again? That was the go-to advice offered by the character of Roy, a long-suffering support technician, in the cult TV sitcom The IT Crowd, which ended in 2013. Now, Google is suggesting the same advice in 2024 for Gmail users following reports of a password change–resistant attack being exploited by information-stealing attackers.

In an adversary intelligence analysis published December 29, CloudSEK researcher Pavan Karthick M detailed how Google accounts could be compromised by exploiting an undocumented authentication endpoint that is used for cross-services synchronization. Attackers were found to be using this to critically exploit session cookies used to log into Google users’ accounts without needing to enter credentials. This could then enable access to the security Holy Grail that is the Gmail inbox.

The first mention of this exploit was on October 20 in a Russian-language Telegram channel. By November 14, however, it was known to have been included within malware being used by the Lumia criminal group and soon after adopted by other threat actors. As recently as December 27, threat actors have been seen on the dark web demonstrating the use of this exploit against Google account session cookies.

So far, so “meh” from the security surprise perspective. After all, attackers have been using session cookie hijacks for the longest time. Well, not quite the longest time, as session cookies usually come complete with a timeout that prevents their continued use. This is where this particular exploit becomes interesting. According to the CloudSEK threat intelligence analysis, expired session cookies could be restored to allow continued and prolonged access by the attackers. Moreover, the research states that the exploit enables continuous access to Google services even after users reset their passwords.

A Google spokesperson says the company is “aware of recent reports of a malware family stealing session tokens” and acknowledges that such attacks “involving malware that steal cookies and tokens”

LEAVE A RESPONSE

Your email address will not be published. Required fields are marked *