.png "blank Coverage")
Reports have surfaced regarding a critical vulnerability linked to cookies, involving malware initially extracting files from Chrome. This vulnerability poses a significant threat by allowing access to Google Accounts even after users change their passwords.
In response to this issue, Google has taken action to secure compromised accounts, emphasizing the importance of signing out of affected browsers through the Account switcher on any Google site or device. Google also clarified a misconception, stating that stolen tokens and cookies can indeed be revoked by users, either by signing out of the affected browser or remotely revoking them via the user's devices page.
The vulnerability, as detailed by BleepingComputer, CloudSEK, and Hudson Rock, requires the installation of malware on a desktop to extract and decrypt login tokens stored within Google Chrome's local database. The extracted information is then utilized to send a request to a Google API, typically used by Chrome for account synchronization, creating persistent Google cookies for authentication and enabling unauthorized access to user accounts. The potential effectiveness of two-factor authentication in protecting against this exploit remains unclear.
The troubling aspect of this vulnerability lies in its ability to repeatedly execute the "restoration" process without the victim's awareness, even after a password change. Even after a Google Account password reset, bad actors can exploit this vulnerability once more to gain access to the compromised account.
This vulnerability is known to multiple malware groups, with six identified by BleepingComputer, selling access to the exploit. The exploit was initially advertised in mid-November, and some parties claim to have already updated it to counter Google's implemented countermeasures. Users are advised to take proactive steps to remove malware from their computers, and Google recommends enabling Enhanced Safe Browsing in Chrome for protection against phishing and malware downloads. Continued monitoring of the situation is ongoing, with updates to be provided as needed.
