At the end of December 2023, Google Chrome’s undocumented API was reported to be used by malicious software for data theft. The stolen data from Google accounts, obtained during these attacks, is being restored by two programs – Lumma and Rhadamanthys – that utilize the API.
Following this revelation, four more malware programs – Stealc, Medusa, RisePro, and Whiteesnake – have also started using similar methods. CloudSec IB experts have discovered that these malicious programs exploit the Google OAuth API called “Multilogin” to generate new authentication cookies. This is done to replace the expired stolen cookies of the victims.
The specific API, originally intended for synchronizing Google service accounts, not only steals authentication cookies for Google sites but also acquires a special token for updating or creating new authentication tokens. However, further details about this API are unavailable from Google’s documentation, with the only reference found in the source code of Google Chrome.
Google has acknowledged the situation, categorizing it as the typical theft of cookies by malicious software. The company claims that it regularly updates its protective mechanisms and provides assistance to affected users.
To tackle the issue, Google advises users to keep their Chrome account logged in on affected devices and terminate all active sessions via the “My devices” menu, making the Refresh token invalid for API use. Additionally, Google recommends changing the password, especially if it has been used on other websites.
Nevertheless, many impacted users are unaware of when and how to take these precautions. Often, they only learn about the infection after their accounts have been hacked and misused. For example, an Orange Spain employee discovered the infection only after the stolen accounts were used to access the company’s account and alter its BGP configuration, resulting in disruptions to internet services.
Currently, Google notifies victims of API abuse, but the question arises of how future victims will be informed and educated about the need to revoke authentication tokens by signing out of their browsers.
Experts believe that the best solution would be to restrict access to the aforementioned API in order to prevent its exploitation. However, there is no information available regarding Google’s plans to implement such measures. Google has not provided any answers regarding its strategy to combat API abuse.