A recent spate of information-stealing malware has targeted a little-known Google Chrome API endpoint to gain prolonged access to users’ Google accounts. Dubbed the “MultiLogin” API, this interface is intended to help synchronize logins across Google services. However, lax access controls have left it ripe for abuse by cybercriminals.
At least six major malware operations since late November have incorporated the technique, including notorious info-stealers Lumma, Rhadamanthys, Stealc, Medusa, RisePro, and Whitesnake. By stealing special “Refresh tokens” in addition to authentication cookies, this malware can continually generate new working login cookies long after old ones expire. That gives threat actors an indefinite window to access compromised accounts.
The refresh tokens link to the MultiLogin API, which accepts account IDs and auth tokens to sync logins. While details remain scarce, references in Google’s open source code confirm its existence. Researchers believe cybercriminal malware is now using stolen tokens to improperly invoke the API and rotate out expired credentials for fresh ones.
As long as a user hasn’t explicitly logged out of Chrome or revoked account sessions, the stolen tokens still work. And most malware victims remain unaware of the intrusion until serious account abuse occurs. For example, stolen Orange España telecom credentials were used to tamper with infrastructure, causing nationwide Internet outages. By then, the damage was already done.
While Google says it has proactively secured known compromised accounts, the company still considers this just standard malware behavior rather than an API vulnerability. Google maintains that affected users need only log out all browser sessions or revoke account access to thwart the attacks.
But that glosses over how the API loophole enables prolonged account access compared to plain cookie theft. It also ignores the fact that most victims discover the intrusion too late. Google could mitigate this by adding MultiLogin API restrictions, yet seems unwilling to do so.
That leaves users and security teams without good recourse once Refresh tokens are stolen. To make matters worse, the simplicity of the technique means adoption by malware kits will likely accelerate.
Google argues that users should turn on Enhanced Safe Browsing protection and continually purge any malware. But individuals have limited tools to detect sophisticated info-stealers, whereas Google could address the problem at its source.
Until then, all organizations should brace for potential exploitation by educating employees on this emerging threat. Protecting privileged accounts with stronger authentication methods is also advisable where feasible.
Because Google’s stance greenlights open season for malware operations to incorporate the technique, expect Refresh token theft to undermine account security well into 2024 and beyond. This elevates the urgency for users and businesses to implement other mitigating controls before the next big outbreak. For widespread threats like ransomware, the damaging potential is too great to ignore.