> Last October 2023, a user known by the pseudonym PRISMA revealed on his Telegram channel that he had managed to restore expired Google authentication cookies. This allowed him to access Gmail accounts, even if the user had changed the password, and generate new session cookies with which to continue entering them in an unauthorized manner.
> Specifically, what they do is take advantage of an endpoint called MultiLogin from Google OAuth to log into user accounts without having to follow the authentication process. This was revealed in a publication on his official blog
> While we await a comprehensive solution from Google, users can take immediate action to safeguard against this exploit. If you suspect your account may have been compromised, or as a general precaution, sign out of all browser profiles to invalidate the current session tokens. Following this, reset your password and sign back in to generate new tokens. This is especially crucial for users whose tokens and GAIA IDs might have been exfiltrated. Resetting your password effectively disrupts unauthorized access by invalidating the old tokens which the infostealers rely on, thus providing a crucial barrier to the continuation of their exploit.
I'm confused on how and why the exploit and "safeguard" (not even sure it stops the exploit) works. When you reset your password, intuitively the server should invalidate all your session cookies, automatically logging you out of every device in the process. Is Google not doing that?
> Specifically, what they do is take advantage of an endpoint called MultiLogin from Google OAuth to log into user accounts without having to follow the authentication process. This was revealed in a publication on his official blog
The blog (https://www.cloudsek.com/blog/compromising-google-accounts-m...) goes into a lot more detail. In particular is this point:
> While we await a comprehensive solution from Google, users can take immediate action to safeguard against this exploit. If you suspect your account may have been compromised, or as a general precaution, sign out of all browser profiles to invalidate the current session tokens. Following this, reset your password and sign back in to generate new tokens. This is especially crucial for users whose tokens and GAIA IDs might have been exfiltrated. Resetting your password effectively disrupts unauthorized access by invalidating the old tokens which the infostealers rely on, thus providing a crucial barrier to the continuation of their exploit.
I'm confused on how and why the exploit and "safeguard" (not even sure it stops the exploit) works. When you reset your password, intuitively the server should invalidate all your session cookies, automatically logging you out of every device in the process. Is Google not doing that?