"Malware Using Google MultiLogin Exploit to Maintain Access Despite Password Reset"
"Malware Using Google MultiLogin Exploit to Maintain Access Despite Password Reset"
Malware that steals information is exploiting an undocumented Google OAuth endpoint called MultiLogin to hijack user sessions and enable continuous access to Google services even if a password is reset. According to researchers at CloudSEK, the critical exploit helps with session persistence and cookie generation, thus allowing threat actors to maintain unauthorized access to a valid session. PRISMA, a threat actor, first revealed the technique on their Telegram channel on October 20, 2023.