Google: Undocumented Google OAuth Endpoint Exploited by Malware for Persistent Access

Security researchers have found malware families exploiting an unknown Google OAuth endpoint named “MultiLogin” to restore expired authentication cookies, allowing continuous unauthorized access to accounts even after password changes. The endpoint, intended to sync accounts across Google services, has been used to regenerate expired Google service cookies in compromised accounts. The discovery underscores the need for improved countermeasures and responses to evolving cybersecurity threats.