An alarming new cybersecurity headline is echoing across mainstream media: “Hackers can now access your Google account without a password.” The news is based on an investigation by Pavan Karthick M. from CloudSEK, which looks into a new tool cybercriminals are using to breach Google accounts. However, the study has been taken a bit out of context.
Hackers breaching your Google account without needing to know your password sounds terrifying. But, in reality, that’s not what this new malware is doing. Let’s dive into the news, explain the exploit in question, and discover how you can stay safe.
Understanding the new Google cookie-token exploit
To understand the new exploit, we need to go back a couple of months. In October 2023, the threat actor PRISMA communicated via Telegram that he had discovered what CloudSEK calls a “critical exploit that allows the generation of persistent Google cookies through token manipulation.”
As most users know by now, browsers save a lot of important information, including passwords. This sensitive information is stored in your browser cookies and tokens. It’s why you don’t have to type in your Google password every time you open your web browser. And while this convenient technology saves us time and makes our online experiences more seamless, it also comes at a security cost.
For years, cybercriminals have been targeting browser cookies in search of the trove of information they can use to breach accounts. The idea that hackers would seek Google browser cookies and tokens is, therefore, nothing new. In fact, browser data extraction hacks are becoming more common as more and more of our sensitive information is stored in them.
While this technique is not new, the malware has been coded to do something different, which has surprised experts. The plot twist is that this malware can regenerate cookies and tokens and create a persistent attack. This means that even if a user changes his Google password — which, until now, was the go-to fix to prevent cookie-token data breaches — the attackers can still break in. Most users never log out of their browsers on all of their devices, and this exploit takes advantage of that.
As CloudSEK explains, this exploit was coded for session persistence. That means the exploit remains valid even when the account password is changed. Additionally, the exploit can generate new valid cookies when a session is disrupted, basically accessing the new passwords again through the browser cookies and tokens.
So, to clarify, it’s not that hackers can break in without your password. Rather, it’s that they can gain access to the browser token where the new password is stored.
How the session hijacker tool became popular among cybercriminal gangs
The dark web and underground cybercriminal landscape is a highly connected community. Bad actors are constantly feeding off each other, learning, and innovating. In this industry, gangs that sell malware-as-a-service bring in big bucks. And just like legitimate software developers, cybercriminal gangs update their malware. They regularly offer new features for customers, fix security bugs, and include new tools that facilitate the work of hackers.
Considering this trend, it makes sense that just under one month after PRISMA made this new Google exploit public to the criminal community via Telegram, one of the big names in this underground industry saw an opportunity and took it.
By November, the hackers behind the infamous Lumma Stealer had reverse-engineered this new Google exploit. They rapidly integrated it into their infamous malware, offering the new tool to anyone who wanted to buy their software and run attacks.
Not only did Lumma hackers reverse-engineer the exploit, but they black-boxed it. A black box technology is one that is fully operational, yet no one fully understands how it works. In a black box tech, users can input commands or prompts. The black box then gets to work to generate an output. What’s really going on inside the black box, however, remains a mystery.
The reasons why Lumma hackers used advanced black boxing techniques for this exploit are clear. They hope to enhance the evasion capabilities of the tool, make the tech more accessible to users who do not have the skills to engineer, deploy, and run the exploit themselves, and make the work of cybersecurity experts more complicated.
From November to December, the new black-boxed tool that allowed “hackers to access your Google account without a password” spread like wildfire among the cybercriminal industry. Known hacker groups that have already integrated this tool into their malware portfolio include some scary names in the sector. They include Rhadamanthys, Stealc, Meduza, RisePro, and WhiteSnake.
With all the confusion, how can you stay safe?
CloudSEK’s analysis of this malware concludes that if you are breached by this new tool, changing your passwords will do no good. However, there’s still no reason to panic. CloudSEK explains that you can stay safe by following a few simple steps:
- Sign out of all browser profiles on all of your devices. (This will invalidate the current session tokens.)
- Reset your passwords and sign back in to generate new tokens.
- That’s it!
Note that this simple fix is for regular users. Administrators and those who have Google managed accounts need to follow the steps provided by Google on their support page.
Final thoughts on malware, media, and intentional chaos
While this new exploit is definitely a step up from the old cookie-token Google password stealer trick, it’s not entirely out of the ordinary. Cybersecurity, malware, and exploits can be extremely challenging to understand. This fact inevitably creates a lot of confusion among all sectors.
Naturally, we expect Google to develop a security patch for this fix very soon. Until then, the remediation methods listed by CloudSEK will keep your Google accounts safe. Other good tips include regularly checking for unfamiliar sessions and never downloading unknown software or unknown attachments.
Some of the main goals of cybercriminals (besides financial or political motivations) are to spread confusion, chaos, and terror. Operating in the shadows and boasting about new malware kits that can hack even the safest tech brands is a form of psychological warfare.
As we enter 2024, we know that the cybersecurity road ahead is going to be a difficult one. Therefore, we must call things as they are. Our role as cybersecurity communicators is to align with the work that cybersecurity experts, ethical hackers, and international law enforcement agencies are doing. It is our aim to shine a light on these endless, sinister, and very invasive hacks. This hopefully will help increase security, create a safer digital world, and build trust.
In conclusion, the answer is “No.” Hackers cannot actually access your Google account without a password. They are simply stealing your browser cookies and tokens and regenerating them using a new tech. And clickbait cybersecurity headlines and misinformation (whether done maliciously or otherwise) only fuel the fires of the global campaign of psychological terror that cybercriminal gangs are responsible for.
This is an independent publication, and it has not been authorized, sponsored, or otherwise approved by Google LLC. Google is a trademark of Google LLC.