Security researchers have discovered a hack that allows cybercriminals to access Google accounts without needing their passwords.
An analysis by security firm CloudSEK found that a dangerous form of malware uses third-party cookies to gain unauthorized access to people's private data and is already being actively tested by hacker groups.
The exploit was first revealed in October 2023, when a hacker posted it on a channel on the messaging platform Telegram.
The post said the accounts could be compromised through a vulnerability with cookies, which are used by websites and browsers to track their users.
Google's authentication cookies allow users to access their accounts without having to constantly enter their login information, but hackers have found a way to obtain these cookies to bypass two-factor authentication.
The researchers who first uncovered the threat say it "highlights the complexity" of modern cyber attacks.
"This exploit allows continued access to Google services, even after a user's password is reset," says Pavan Karthick M, a threat researcher at CloudSEK, in a post detailing the issue.
The security issue was analyzed in detail in a publication, titled 'Compromising Google accounts: Malwares Exploiting Undocumented OAuth2 Functionality for session hijacking', written by CloudSEK researcher Pavan Karthick M.