from Hacker News

Malware abuses Google OAuth endpoint to 'revive' cookies, hijack accounts

by schalkneethling on 12/29/23, 4:22 PM with 103 comments

  • by elric on 12/30/23, 8:11 PM

    Given how many times I've heard of people being locked out of their Google accounts, and are only able to regain access because they're still logged in on some rarely used device, I imagine that Google would lose a bunch of users if they suddenly started to expire those cookies.

  • by tyoma on 12/30/23, 7:52 PM

    Seems bad that the cookies are still valid after password rotation.

    Relatedly, is this another instance of HN serving as de-facto Google tech support/customer service?

  • by ademarre on 12/31/23, 9:30 AM

    This would be a better link; the blog post on which the Bleeping Computer article is primarily based. They refer to it but never link to it:

    https://www.cloudsek.com/blog/compromising-google-accounts-m...

  • by shadowgovt on 12/31/23, 2:30 AM

    Multilogin continues to be the gift that keeps on giving for Google.

    Google engineers weren't keen to implement the feature in the first place, and it's been kind of an unlimited well of headaches, confusion, and user issues ever since.

  • by candiddevmike on 12/30/23, 10:58 PM

    This is doubly bad for Google Cloud, as you can't use it without Google accounts. I'm not sure if it makes sense to remove Sign in with Google yet, though I'm not sure how much I can trust Google for delegating user auth now...

  • by rolph on 12/30/23, 7:46 PM

  • by motohagiography on 12/31/23, 12:10 AM

    Interpreting that the basic problem is limited to a propriatary OAuth2 extension feature of Chrome designed by google to support google services.

    It sounds related to an OAuth2 footgun around applying the expiry to refresh_tokens in addition to the access_token, which has an explicit expiry. Whereas the refresh_token expiry is only implied as something less than the access_token - if any.

  • by DeathArrow on 12/31/23, 9:22 AM

    It's better to not rely on Google for anything important.

  • by HackerThemAll on 12/31/23, 11:04 AM

    At the same time Google requires employees to log in (including touching U2F key) every single day, invalidating all sessions.

    So this is schizophrenia - corporation is protected, but casual Gmail users are left to be hacked with no option to set the session expiration anywhere in the account settings.

  • by robocat on 12/31/23, 9:13 AM

    Presumably cookies are "stolen" from Chrome by malware running under Windows.

    I guess Mac and Android users are potential victims too. As much as I despise post-Wozniak Apple, at least an iPhone is reasonably secure (except from governments).

  • by rezonant on 12/30/23, 8:17 PM

    X for Doubt. There's almost no details that are useful in this article, and in this case, the authors indicating Google isn't doing anything about it is likely because this isn't actually true.

    Of course maybe I'm wrong but short of some more compelling technical details (reply a link if there's a better source), I'm inclined to doubt the characterization of this article.

    EDIT: Sibling linked https://www.bleepingcomputer.com/news/security/malware-abuse... which is more technical.

  • by Sparkyte on 12/31/23, 12:51 AM

    Yikes!

    My life has always told me nothing is secure.