Hackers can now access your Google account without password
Table of Contents
Hackers now have access to Google services even after a user resets their password thanks to a new exploit that cybercriminals discovered a way to access people’s Google accounts without requiring a password.
The Independent and security firm CloudSEK both conducted analyses on the new vulnerability. Additionally, in October 2023, a hacker tweeted about the problem on a Telegram channel, which brought it to light for the first time.
According to the Independent research, third-party cookies, which websites and browsers employ to track users and improve their performance, have a vulnerability that might lead to the breach of Google accounts.
What are cookies on websites?
A web server creates cookies, which are little data files that are sent to a web browser. For the duration of a user’s session on a website, or for a predefined amount of time, web browsers retain the cookies they receive. Any further requests the user makes to the web server are associated with the appropriate cookies.
Cookies provide websites with information about the user, allowing them to customise the user experience. Cookies are used by e-commerce websites, for instance, to track the products that customers have added to their shopping carts. Furthermore, certain cookies—like authentication cookies—are required for security reasons (see below).
Another name for cookies that are used online is “HTTP cookies.” Cookies are sent over the HTTP protocol, just like a lot of the internet.
Where are cookies stored?
Cookies are saved by web browsers on users’ devices in a specific file. For example, the web browser Google Chrome keeps track of all cookies in a file called “Cookies.” By accessing the developer tools, selecting the “Application” tab, and selecting “Cookies” from the left side menu, Chrome users can inspect the cookies that the browser has saved.
What are cookies used for?
- User sessions: Cookies provide the connection of a particular user with website activities. A session cookie is a special string made up of characters and numbers that associates a user session with information specific to that user.
Let’s say Alice has a shopping online account. Using the homepage of the website, she logs into her account. Alice’s browser receives a session cookie from the website’s server after she logs in. The website loads Alice’s account content as a result of this cookie, displaying “Welcome, Alice” on the homepage.
After that, Alice clicks on a product page that shows a pair of jeans. Alice’s session cookie is included in the HTTP request that Alice’s web browser makes to the website for the jeans product page. This cookie allows the website to identify the user as Alice, saving her from having to check in each time a new page loads.
- Personalisation: A website can “remember” user preferences or behaviours with the use of cookies, which allows the website to tailor the user’s experience.
Alice’s username may be delivered to her web browser and saved in a cookie even after she logs off of the purchasing website. The web browser delivers this cookie to the web server the next time Alice opens that page, prompting her to log in using her previous username.
- Tracking: A few cookies keep track of the websites that people visit. The next time the browser needs to load material from the server, this information is transmitted back to the server that set the cookie. This procedure occurs each time the browser loads a website that makes use of the third-party tracking cookie.
Alice may be reading a product page for jeans right now if Alice’s browser received a tracking cookie from a website she visited in the past. Alice might receive advertisements for jeans the next time she views a website that makes use of this monitoring service.
But tracking cookies aren’t just used for advertising. Tracking cookies are also used by a lot of analytics services to collect anonymous user data. (Cloudflare Web Analytics is one of the few services that protects user privacy by not using cookies to give analytics.)
What is a third-party cookie?
A cookie from a domain other than the one that the browser displays is known as a third-party cookie. Tracking is the main use case for third-party cookies. They stand in contrast to first-party cookies, which are linked to the same domain that the user’s browser displays.
The jeans.example.com origin server employs a session cookie when Alice shops there in order to keep track of her account login information. An illustration of a first-party cookie is this one. Even while Alice isn’t now visiting example.ad-network.com, she might not be aware that a cookie from that website is also kept in her browser and is monitoring her activity on jeans.example.com. An illustration of a third-party cookie is this one.
How Hackers Steal Cookies
Users may remember passwords, preserve authentication, and autofill forms with the help of browsers. Although it may appear practical, attackers can take use of this feature to obtain login credentials and avoid the challenge.
Browsers employ cookie-containing SQLite database files in the background. These cookies consist of key-value pairs, where the values frequently hold important data like expiration dates and tokens.
Adversaries are aware of the precise name and location of these files on a variety of operating systems and major browsers, including Chrome, Firefox, and even Brave. For this reason, an attack may be prearranged. These scripts are frequently found with other modules in malware that steals information.
For instance, the most recent iteration of the Emotet botnet targets browser-stored passwords and cookies, including credit card information. “Google’s Chrome browser uses the same encryption method to store both multi-factor authentication cookies and credit card data,” the Sophos researchers claim.
Attackers can also use spear-phishing and phishing campaigns to implant droppers that can covertly release cookie-stealer malware in order to obtain initial access.
After that, the cookies are utilised for lateral and post-exploitation movements. Cybercriminals can use them to alter user account passwords and emails, lure victims into installing further malware, or even use Impacket kit and Cobalt Strike, two more exploitation tools.
How Users Can Protect Access
Passwords should not be saved using built-in features unless the browser encrypts them using a master password or something similar. It is advised that users disable the “remember passwords” setting and probably stop allowing persistent sessions as well.
Even if it’s not the normal behaviour, you can typically adjust the settings to stop the browser from requesting your password each time you log in. Additionally, you may set your browser to automatically remove all cookies when it closes.
Password managers can eliminate the inconvenience of typing in your credentials, despite the fact that they require reauthentication every time you use them. Remember that it is not impenetrable, though, as malicious software may still be able to install phoney extensions or processes that monitor local traffic and information transmitted by your password manager.
Even if you utilise security-enhanced solutions like Brave, it’s still a lot better approach than relying on your browser to keep authentication for days at a time.
Researchers found that even while session-specific cookies are deleted when the browser is closed, some programmes, such as Slack, employ persistent cookies and stay open forever in some situations.
Because some programmes use their own cookie stores—sometimes without an expiration date—they could be subject to cookie thefts.
