Security researchers have discovered a hack that allows cybercriminals to obtain access to Google accounts without needing their passwords.
An analysis by security firm CloudSEK found that a dangerous form of malware uses third-party cookies to gain unauthorized access to private data people and is already being actively tested by teams hacker.
The exploit was first revealed in October 2023, when a hacker posted it on an anti-resource platform channel.changeof Telegram messages.
The post said the accounts could be compromised through a vulnerability with cookies, which are used by websites andletterbrowsers to track their users.
Google's authentication cookies allow users to access their accounts without having to constantly enter their login information, but hackers have found a way to obtain these cookies to bypass two-factor authentication.
The researchers who first uncovered the threat say it "highlights the complexity" of modern cyber attacks.
"This exploit allows continued access to Google services, even after a user's password is reset," says Pavan Karthick M, a threat researcher at CloudSEK, in a post detailing the issue.
The security issue was analyzed in detail in a publication, titled 'Compromising Google accounts: Malwares Exploiting Undocumented OAuth2 Functionality for session hijacking', written by CloudSEK researcher Pavan Karthick M.