Malware abuses Google OAuth endpoint to ‘revive’ cookies, hijack accounts

Cyber threat actors are exploiting an undisclosed Google OAuth endpoint called “MultiLogin” to reestablish expired authentication cookies and gain illegitimate access to users’ accounts, including post password resets. The discovery by security firm CloudSEK revealed the susceptibility of authentication cookies enabling automatic logins that are misused by malware like Lumma and Rhadamanthys. The reestablishment of expired cookies, despite their protection protocols, highlights gaps in end-point security and raises concerns about data protection shortcomings. Google has not clarified its mitigation measures for addressing this issue.