Malware is exploiting an undocumented Google OAuth endpoint called MultiLogin, allowing attackers to maintain access to Google services even after a password reset. The exploit, revealed by a threat actor named PRISMA and incorporated into various malware-as-a-service (MaaS) stealer families, enables session persistence and cookie generation. Specifically targeting Chrome’s token_service table, the malware extracts tokens and account IDs of logged-in Chrome profiles. Google acknowledged the attack method but stated that users can revoke stolen sessions by logging out of the affected browser. Enhanced Safe Browsing in Chrome is recommended for protection against phishing and malware downloads.
