Following a widespread hacker attack on Gmail users, Google has recommended a simple solution: “Try turning it off and on again.”
This advice, reminiscent of a well-known mantra from the cult classic TV series “The IT Crowd,” comes in response to reports of an attack that steals information and is resistant to password changes.
According to an intelligence analysis by CloudSEK researcher Pavan Karthick M, published on December 29, Google accounts can be compromised by exploiting an undocumented authentication point used for synchronization across services. Attackers have utilized this to critically exploit users' session cookies, which are used to log into Google user accounts without needing to enter credentials. This could then grant access to the Gmail inbox, a highly prioritized target for security.
The first mention of this exploit was on October 20 on a Russian-language Telegram channel. By November 14, it was known to be included in malware used by the criminal group Lumia, and soon after, it was adopted by other threat actors. As recently as December 27, threat actors were seen on the dark web demonstrating the use of this exploit against Google account session cookies.
Changing Google Password Does Not Prevent Attack
CloudSEK's threat analysis indicates that expired session cookies could be restored to allow continued and extended access by attackers. Furthermore, the research states that the exploit enables ongoing access to Google services, even after users reset their passwords.
Have You Tried Turning It Off and On Again?
A spokesperson for Google says the company is “aware of recent reports of a malware series that steals session tokens” and acknowledges that such attacks “involving malware that steals cookies and tokens are not new.” Google also reports that they routinely upgrade defenses against such techniques and have “taken steps to secure any compromised accounts discovered” in this regard.
However, Google distances itself from some reports claiming that it is impossible to revoke stolen tokens and cookies, and here the IT Crowd mantra “have you tried turning it off and on again” becomes a reality. “Stolen sessions can be invalidated,” says Google, “by simply logging out of the affected browser, or remote revocation via the user’s device page.” Google also recommends activating Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads.
The CloudSEK analysis goes into more detail regarding turning off and on again, stating: “If you suspect that your account may be compromised, or as a general precaution, you should log out of all browser profiles to invalidate the current session tokens. After this, reset your password and log in again to generate new tokens.
Resetting your password effectively disrupts unauthorized access by invalidating the old tokens that infostealers rely on, thus providing a temporary barrier to the continuation of their access.