Google Accounts Hacked Without Need for Passwords

According to the security firm that discovered the exploit, hackers are already integrating it into info-stealing malware.

Cybercriminals have found a way to break into password-protected Google accounts without acquiring any of their target’s login credentials, a security firm has suggested.

Through the generation of persistent Google cookies, the firm says, hackers can retain “continuous access” to Google accounts, even if the password is later reset. Threat groups are already experimenting with the technology.

The news is likely to add further fuel to the ongoing debate surrounding how secure passwords, password managers, and log-in journeys actually are, which is already convincing companies like Google to switch from passwords to passkeys.

Hacking a Google Account Without the Password

Back in October 2023, using an AI digital risk platform, security firm CloudSEK spotted that a threat actor called PRISMA had announced a “potent 0-day solution addressing challenges with incoming sessions of Google accounts” on their Telegram channel.

The zero-day exploit means hackers can effectively gain unauthorized access to Google accounts via token manipulation methods. This is all due to a major flaw in the cookie generation process, rooted in an undocumented Google Oauth endpoint dubbed “MultiLogin”.

Cookies are bits of information stored on devices, typically downloaded from websites. They're often used to facilitate account login journeys that don't require users to input their login credentials over and over again, as well as to tailor the browsing experience to a user's preferences more broadly.

Surfshark logo🔎 Want to browse the web privately? 🌎 Or appear as if you're in another country?
Get a huge 86% off Surfshark with this special tech.co offer.See deal button

The important feature of the zero-day solution is “session persistence”, which means a hacker’s session using a target Google account will continue to remain valid in the face of a password change.

This means the true owner of the Google account won’t be able to kick them out with a password reset. But further, it also allows any threat actor exploiting it to “generate valid cookies in the event of a session disruption”, which CloudSEK says enhances the attacker's ability to “maintain unauthorized access.”

As of January 2024, Google is yet to roll out a comprehensive solution to the flaw, CloudSEK says.

Hacking Groups Catch On to Big Discovery

Unfortunately, hackers have already incorporated the exploit into their info-stealing malware to break into the Google accounts of unsuspecting victims.

After the exploit was made public, in mid-November of 2023, “a threat actor… later reverse-engineered this script and incorporated it into Lumma Infostealer… protecting the methodology with advanced blackboxing techniques” CloudSEK notes.

After that, the team behind the Lumma info stealer updated the exploit to make it even harder for Google’s detection systems to spot.

CloudSEK says the exploit has now spread “rapidly” among various other threat groups, making the risk to account holders even higher – Rhadamanthys, Risepro, Meduza, and Stealc Stealer have reportedly all incorporated the technique already.

What to do if Your Google Account has Been Compromised

A simple password reset can't be used to beat this attack technique alone. CloudSEK recommends that users who believe their account may have been hacked first log out of all devices and browsers.

Only after following this step can a password reset involving a sufficiently complex and unique password be used to invalidate the threat actor's old tokens.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Written by:
Aaron Drapkin is a Lead Writer at Tech.co. He has been researching and writing about technology, politics, and society in print and online publications since graduating with a Philosophy degree from the University of Bristol five years ago. As a writer, Aaron takes a special interest in VPNs, cybersecurity, and project management software. He has been quoted in the Daily Mirror, Daily Express, The Daily Mail, Computer Weekly, Cybernews, and the Silicon Republic speaking on various privacy and cybersecurity issues, and has articles published in Wired, Vice, Metro, ProPrivacy, The Week, and Politics.co.uk covering a wide range of topics.
Explore More See all news
Back to top
close Thinking about your online privacy? NordVPN is Tech.co's top-rated VPN service See Deals