CloudSEK reports that a threat actor named PRISMA created an exploit for a Google OAuth "MultiLogin" vulnerability, enabling uninterrupted access to Google services even after password resets. The exploit is rooted in an Google authentication endpoint named "MultiLogin" which enables to synchronize accounts. Yet, MultiLogin may enable a threat actor to manipulate tokens for persistent cookie generation.
OAuth 2.0, a widely used internet resource access protocol for user identity verification on platforms.
PRISMA openly discussed its exploit via Telegram in October 2023. Since November 2023, MultiLogin exploit has been integrated within LummaC2 information stealer.
The exploit exhibits key features, including session persistence and cookie generation, targeting Chrome's token_service table to extract secrets, tokens, and account IDs.
The exploit's sophistication involves nuanced manipulation of the GAIA ID token, allowing continuous cookie regeneration even after password changes. This elevated level of exploitation, shielded by encryption, poses a significant threat to Google's internal authentication mechanisms.