Malware abusing API is standard token theft, not an API issue

Google is dismissing reports of malware misusing an obscure Chrome API to renew expired authentication cookies. Malware operations Lumma, Rhadamanthys, Stealc, Medusa, RisePro, and Whitesnake reportedly abuse Google’s OAuth “MultiLogin” API to generate fresh cookies for entry to compromised Google account. Google claims this API function is part of normal operation, and advices users to logout from Chrome or end all active sessions to invalidate the authentication tokens. Critics suggest restricting API access might be a better preventive measure.