Highly exploited Chromium bug traced to a Google OAuth endpoint

An undocumented Google OAuth endpoint named ‘MultiLogin’ was identified to be the root of a notorious info-stealing exploit. Cybersecurity intelligence company CloudSEK revealed the exploit, which allows generation of persistent Google cookies through token manipulation and continuous access to Google services, was first used by a threat actor ‘Prisma’ on a Telegram channel. The exploit quickly spread, and was added into the Lumma InfoStealer malware; it’s since been adopted by other threat actors. The ongoing vulnerability highlights the need for users to log out to prevent exploitation.