Multiple information-stealing malware families have been exploiting an undocumented Google OAuth endpoint called “MultiLogin” to restore expired authentication cookies and gain unauthorized access to users’ accounts, even after passwords have been reset. The cookies, which contain authentication information, allow cybercriminals to automatically log in to websites without credentials. Although BleepingComputer reached out to Google for comment, there has been no response. According to CloudSEK researchers, the exploit works by using the MultiLogin endpoint to extract tokens and account IDs from Chrome profiles logged into a Google account. The stolen information is then used to regenerate expired Google Service cookies, providing persistent access to compromised accounts. The exploit has been adopted by multiple information stealers, raising concerns about the scale of its exploitation. It is unclear whether Google is aware of the abuse and what mitigation efforts they have taken.
https://www.bleepingcomputer.com/news/security/malware-abuses-google-oauth-endpoint-to-revive-cookies-hijack-accounts/