Joshua.Hu | Joshua Rogers' Scribbles

On the Google Account Persistence Exploit

A recent exploit used by malware developers has been uncovered by security researchers, where Google accounts which have been hacked can be accessed even after their passwords have been changed – and Google’s “log out all other sessions” functionality used. This type of persistence – which effectively provides a hacker with life-long access to a hacked Google account – can be extremely valuable as an attacker can continue to retrieve information from the hacked user’s account even when they believe they are safe.

I found one specific part of this whole topic quite amusing: “Our TI Sources have conversed with the Threat actor who discovered the issue, which accelerated our discovery of the endpoint which was responsible for regenerating the cookies”, stated CloudSEK, a company which publicized the full details of how this exploit works. Except of course, this exploit has been around for years, and its long life has origns from long before a “threat actor” integrated it into their malware/exploit kit.

The “exploit” – whose discoverability is as simple as observing that after you change your Google password and press “log out all other sessions” other sessions do remain logged in if they’re using Chrome’s Google Account Synchronization – was being used by people like myself and others for a very long time, but not for malware-based purposes.

At least in my old circles, it was discovered accidently: it was just a noticed functionality which made somebody (not me) in my group of friends go “huh? how am I still logged in?” It was surely discovered by many other people, too.

Malware developers have never seemed to understand the value of their exploits. This must have been unleaked for over a decade, and selling it “as a service” is short-sighted and was bound to get it either leaked or fixed quickly. This type of persistence is invaluable and I can’t under-state enough how much of a shame its exposure is.

At least in my circles, it was used when we knew that logging in (or “recovering” which is the act of abusing the “forgotten password” functionality) to the Google account would quickly be noticed, and we wouldn’t have enough time to actually gain access to what we wanted (which is certainly not a bunch of random emails; it was accounts associated with that email address for which we could recover using the other services’ “forgotten password” functionality). Hacking isn’t about just hacking one thing and finishing, it’s about getting access one system and leveraging that to get to another; ad-infinitum until you’ve reached your final goal (and you may not actually know what that is when you begin).

Just imagine: you not only hack the Google account, but once they think they’re secure, you still have hidden access. You can access their emails, their Drive, their Youtube, and all of the website they use Google Single-Sign-On for.

If they’re actually using Google’s synchronization in Chrome, you also get access to:

  1. Their browsing history,
  2. Their cookies (everything they’re logged into!),
  3. Their new passwords,
  4. .. and more.

And if they’re not using Google’s synchronization? Then you can still get access to their Google search history (even if they have it search history disabled, you can simply enable it; how would they know?)

Another excellent exploit burned by… malware developers for $100/month. A real travesty.

All of this has reminded me of an old exploit: the ability to:

  1. Brute-force (or credential-stuff) Runescape accounts with no captcha,
  2. Access the bank accounts of Runescape accounts despite it having an “in-game pin” (a 4-digit code which is required before you can access your in-game account),
  3. Transfer all of the in-game gold from an account which has an “in-game pin” even after the above exploit (pin skip) was patched.

Tha above exploit was burnt by malware develoeprs for a measily few dollars per month, too. Some more fascinating story about that coming soon.