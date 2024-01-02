Summary Google Chrome is cracking down on third-party cookies, but a recent cookie vulnerability puts Google accounts at risk, even if passwords are changed.

Hackers can exploit session cookies used for user authentication to gain unauthorized access to Google accounts, bypassing passwords entirely.

The session cookies are a zero-day vulnerability being actively exploited by at least six malware groups.

Browser cookies give the web browser an ability to remember what you do on websites, such as the items added to a shopping cart, data filled in forms, and login status. However, these very cookies also give dangerous malware inroads to your personal information and banking details. While Google Chrome is coming down heavily on third-party cookies, a recently discovered cookie vulnerability leaves Google accounts vulnerable even if you change your passwords, and at least six malware groups are actively selling this exploit.

Typically, cookies can read site data, and are stored on your device which has the web browser installed. However, bad actors can use cookies to siphon off your personal information as well. In a recent exploit detailed by Bleeping Computer, hackers tried restoring session cookies used to store user authentication information. As the name suggests, session cookies are typically stored temporarily, and they make it easy to log in without entering your username and password every time (via 9to5Google).

Google uses these cookies to save login credentials when you sign in to your account. Now, a zero-day exploit allows cybercriminals to retrieve these session cookies and gain unauthorized access to user accounts. The dangers of such misuse are significant because these cookies bypass passwords and two-factor authentication typically used to secure Google accounts. This means hackers can sign in to accounts even if the real user resets their password or signs out.

First revealed in October 2023 by a bad actor who goes by PRISMA, this vulnerability was reverse-engineered by CloudSek researchers. They successfully revived Google authentication cookies which should have expired with the session. On the bright side, cookie regeneration only works once if you reset your password, but there’s no limit on regeneration.

Meanwhile, Google seems to be at work fixing the issue because one of the malware developers exploiting this vulnerability issued an update to bypass Google’s countermeasures. However, the tech giant did not respond to multiple questions from BleepingComputer about plans to mitigate the damage.

For now, these session cookies are a zero-day vulnerability being exploited by at least six malware developers actively. So, there’s no immediate way to know if you’ve been compromised in such an attack. To protect against such attacks, we strongly advise against installing software of unknown origin. If you use Google Chrome and you notice any abnormal activity on your Google account, do not hesitate to change your password immediately.