Some people like myself are aware this has been going on for a bit with cookies, but a lot of people out there don't know. Session hijacking is a big issue that can bypass Multi-factor Authentication is happening all over net, and not just with google.

Malwarebytes put out an article yesterday about an exploit that's targeting Google accounts. This is definitely something you should read even if you don't have one, but especially if you do. Hackers are bypassing multi-factor authentication and getting access to accounts and even changing your password won't prevent them accessing it.

https://www.malwarebytes.com/blog/news/2024/01/info-stealers-can-steal-cookies-for-permanent-access-to-your-google-account

I've provided links to two articles below that talk further about session hijacking, one by Imperva and one by Kasperky.

https://www.imperva.com/learn/application-security/session-hijacking/
https://www.kaspersky.com/resource-center/definitions/what-is-session-hijacking

11 months ago*

Comment has been collapsed.

stealers can steal. buy that guy a thesaurus

11 months ago
Permalink

Comment has been collapsed.

😆

11 months ago
Permalink

Comment has been collapsed.

Thanks for the post.

11 months ago
Permalink

Comment has been collapsed.

Thank you for the post!!

Edit: I checked all signed-in devices, apparently a game I abandoned months ago and uninstalled had access to my email for some reason. That's no longer a thing.

11 months ago*
Permalink

Comment has been collapsed.

The only way that they no longer have access to your e-mail is if you closed that e-mail address , just because you wiped it from the games data doesn't mean someone couldn't simply of copied it on to a piece of paper long ago

11 months ago
Permalink

Comment has been collapsed.

This type of issue is happening all over net, and not just with google, but Steam and other sites.

While session hijacking is a known type of attacks, the vulnerability discussed is specific to google accounts and exploits an undocumented google oauth endpoint

https://www.cloudsek.com/blog/compromising-google-accounts-malwares-exploiting-undocumented-oauth2-functionality-for-session-hijacking

11 months ago
Permalink

Comment has been collapsed.

Session hijacking is was I was referring to with the sentence and not the specific exploit with the Google accounts. I'm updating the OP to make that clear, sorry about the confusion.

11 months ago
Permalink

Comment has been collapsed.

I never used 2FA, that way nobody can bypass it.

View attached image.
11 months ago
Permalink

Comment has been collapsed.

Big brain move right there. :kappa:

11 months ago
Permalink

Comment has been collapsed.

That's my strategy too.
As a bonus, I don't get locked out when someone steals my phone 👀

11 months ago
Permalink

Comment has been collapsed.

Yeah tbh I never really understood how tying your identification details to a device that can easily get broken, lost, or even stolen was supposed to be "more secured".

11 months ago
Permalink

Comment has been collapsed.

Same. This is an incredible risk of getting locked out.
Sure it improves the security of geniuses who use "1234" as a password on every website, but when you do have strong and unique passwords, it's more debatable.
Issues include:

  • a successful 2FA is widely treated as "100% sure we have the right guy, you have full access no matter how fishy your connection and current activity may look" = if someone breaks your 2FA one way or antoher, there is zero damage control
  • getting locked out
  • having the 2FA hacked (sim swapping, etc)
  • people feeling it's OK to use a weak password because they have 2FA anyway

It's nice to have 2FA as an option, but it's not a one-fits-all thing. People should be able to make their choice and should be provided with as many 2FA options as possible (SMS, e-mail, OTP, etc). And ideally be able to pick combinations of methods. And companies shouldn't drop all their security checks just because someone passed 2FA.
But it's complex and requires a bit more critical thinking than just shoving a ReCaptcha and mandatory SMS down everyone's throat and calling it a day

11 months ago*
Permalink

Comment has been collapsed.

Happy Cake Day!

11 months ago
Permalink

Comment has been collapsed.

Oh, thanks 👀
Time flies...

11 months ago
Permalink

Comment has been collapsed.

First of all, to steal cookies - they need access to your PC, like running a trojan or something. If they managed to do it - well, your steam account may be the least of your problems then. Also, changing your password will still help if the service you use invalidates existing sessions when you change password. Steam, for example, does this, and in this particular case there was other exploit specifically on google, that allowed to bypass it, and only because of that additional exploit it's kinda more dangerous than usual. Other than that - nothing new, this attack vector is as old as computers.

11 months ago
Permalink

Comment has been collapsed.

Thank you for the information provided, have a nice day😊😊

11 months ago
Permalink

Comment has been collapsed.

Lovely, thanks for the post. It gains my awareness... Will try to check how they doing upon this hijacking.

11 months ago
Permalink

Comment has been collapsed.

Bump for awareness.

11 months ago
Permalink

Comment has been collapsed.

Sign in through Steam to add a comment.