• by Laurie Sullivan  @lauriesullivan, January 2, 2024

Here's one more reason to say goodbye to tracking browser cookies. A recent cookie vulnerability puts Google accounts at risk, even if passwords are changed.

A cookie vulnerability has been found to leave Google accounts vulnerable even when passwords are changed. At least six malware groups actively sell this exploit.

Bleeping Computer has detailed the recent exploit where hackers have tried restoring session cookies that house user authentication information.

Session cookies typically store information temporarily, making it easy to log in without entering a username and password every time, but this exploit found a way to restore the cookies even after they have been deleted. 

The encrypted tokens are decrypted using an encryption stored in Chrome's 'Local State' file, according to one report. The same encryption key also is used to decrypt saved passwords in the browser.

The zero-day exploit is explained in a video from Hudson Rock, an Israeli cybersecurity company. The video was posted from the Darkweb where a hacker shows exploiting the generated cookies.

The cookies can bypass passwords and two-factor authentication typically used to secure Google accounts, which some suggest that hackers can sign in to accounts even when passwords are reset or the user signs out.

The vulnerability was reverse-engineered by CloudSEK researchers in October 2023, but a detailed blog on the event published last week. The researchers revived Google authentication cookies that should have expired with the session. Cookie regeneration only works once when resetting a password, but there’s no limit on regeneration, according to the report.