Tech News Hackers have found a way to gain unauthorized access to Google accounts, bypassing any multi-factor authentication (MFA)

Info-stealers can steal cookies for permanent access to your Google account​

January 11, 2024

Hackers have found a way to gain unauthorized access to Google accounts, bypassing any multi-factor authentication (MFA) the user may have set up. To do this they steal authentication cookies and then extend their lifespan. It doesn’t even help if the owner of the account changes their password.
Since the discovery of the exploit, numerous white and black hat security researchers have looked into and discussed the issue. As a result, the exploit is now built into various information stealers.
Cookies are used to track users across websites and remember information about their visit. Authentication cookies are in essence pieces of data that the browser sends to a site to identify the user and check whether they are logged in. Usually these cookies have an expiration date after which the user will be asked to log in.
Persistent cookies enable a continuous access to Google services, even after the user resets their password. This exploit allows the generation of persistent Google cookies by using a Google Application Programming Interface (API) designed for synchronizing accounts across different Google services to bring back to life expired authentication cookies.
A Google account provides access to Google services like Gmail, Google Calendar, and Google Maps, but also Google Ads and YouTube.
In a statement Google responded:

“We routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.”

However, some info stealers have

You must be registered for see links

already been updated to counter Google’s fraud detection measures.
Sources familiar with this issue have told

You must be registered for see links

that Google believes the API is working as intended and and that no vulnerability is being exploited by the malware, which implies that Google isn’t working on a more permanent fix for this problem.

Review devices​

To check whether someone has accessed your account, you can view which computers, phones, or other devices that were signed in to your Google Account recently.

1. Go to your Google Account.
2. On the left navigation panel, select Security .
3. On the Your devices panel, select Manage all devices.
4. You’ll see devices where you’re currently signed in to your Google Account or have been in the last few weeks. For more details, select a device or a session.
5. Devices or sessions where you’re signed out will have a “Signed out” indication.
6. If multiple sessions appear for the same device type, they might all be on one device or multiple devices. Review their details, and if you’re not sure all the sessions are from your devices, sign out on them.

Remediate​

If you think your account has been compromised, you will have to sign out of all browsers to invalidate the current session tokens and then reset your password. Next you will need to sign back in to generate new tokens. Only this stops the unauthorized access because it invalidates the old tokens.
The steps outlined below are for administrators who manage Google Accounts for a company, school, or other group. As an administrator, you can sign a user out of a managed Google Account, such as Google Workspace or Cloud Identity.
To reset a user’s sign-in cookies:

1. You must be registered for see links
   to your Google Admin console. Sign in using an administrator account, not your current account.
2. In the Admin console, go to Menu > Directory > Users.
3. In the Users list, find the user. If you need help, go to
   You must be registered for see links
   .
4. Click the user’s name to open the user’s account page.
5. Click Security > Sign-in cookies > Reset.

What might help stop this abuse is if Google speeds up the announced end of tracking cookies. Obviously, we think it’s best to keep these information stealers off your computer.

From: MalwarebyteLabs

 

[Wichestery2k]

if it's created by man it can be hacked! lol

 

[FishAping]

google has never been safe....any system can be hacked its as simple as that...

 

[Toxined]

At first place I'm not using cookies as much as I could. Its maybe because a phobia in me or I don't like someone sneaking into my history at any cost or the both. LOL.

Even in my browsers I set to clear everything and set to stop using cookies in sites though it breaks some sites I'm not staying logged in every time. When the job is done what I came for. Then my duty is off and it's time to sign off then.

Google has way back of these breaches and many has this kind of vulnerabilities. As said, @Wichestery2k that's true. Man is not perfect then their codes aren't either.
@FishAping yes it is. Nothing is error free. A Basic theory in programming.

Only a matter of time. But being careful before something happens is just the way to stop these kind of things happening to anyone.

 

[Cyler]

The original writers and in general writers of various web tech articles always try to sensationalize and create a bit of scare and fear in people. Infostealers are not something new and I am surprised that tech sites don't promote or show the passkey option which is resistant to phishing, and info stealing and also provides a passwordless experience using public key cryptography and not simple passwords that can be hacked.

First of all for someone to steal your cookies, they must run a program on your PC with admin credentials and yes if they have the cookies, then your data is wide open. FYI this is an issue with a LOT of services not just google. This can not happen over the net, or by browsing a site. If you scan all the things you download, don't download from shady/unknown places, or open every email you get, promising you millions of dollars, and in general exercise common sense you are safe.

For those who want extra protection tho....
Here is a quick guide to almost never get hacked even if someone steals cookies. I say almost because the only downside is if someone uses or steals your PC and you don't see it in time.

1. Create a PASSKEY for your Google account/PC, not a password, P A S S K E Y... I repeat PASSKEY
2. Live happily ever after

What is a passkey you ask? Passkey also known as the passwordless method (see it gets more fun) is a method that will tie your Google account to a SPECIFIC PC and that PC(s) don't need to log via password after that. If no password is stored, there is nothing to steal, that simple. If there is ever a password need, you will be asked to provide the Windows administrator account and not the Google one and i want to believe you are smart enough NOT to use the same password From that point on, you will not be asked for a password which also makes life easier as... it's your PC and that is how it should be. Since the account is locked to specific devices, even if someone steals your cookies they can't be used since the account authentication can see it is not your PC. Google uses a FIDO key which is also resistant to phishing and offers way higher protection and is only comparable to hardware USB keys.

I won't go deeper into this subject so as to not hijack @Twistty thread but you can do your research and believe me, it's a life changer.
If people want I can create a guide for passkeys and also explain the pros and cons.

Dont believe the hype

 

[Alessia_Amelia]

Thank you for the information @Twistty , good to know, and yes @Cyler we would love to have you create a guide
to use for Passkey creation

 

[pascalwil]

Thanks @Twistty and @Cyler for your valuable information.
Have checked my google account and so far so good.
But since you're proposing yes @Cyler go ahead with creating a guide and explaining passkeys. If it's not too much work for you! Seems like a good way forward.

Cheers

 

[_Jules_]

I won't go deeper into this subject so as to not hijack @Twistty thread but you can do your research and believe me, it's a life changer.
If people want I can create a guide for passkeys and also explain the pros and cons.

That would be very interesting, I'd like to hear more about this!

 

[RedDove]

Thanks so much for the info. @Twistty
@Cyler we would love a guide on passkey creation, to be honest
I never knew there was a difference between passwords, pass-codes and passkeys,
so I would love to know more about it, and another question, who the heck are you Cyler.
Alot of you are so dang smart, it blows my mind and I feel like a proud mama, even though I don't know
you personally, but wow.