hngopher.com

       [HN Gopher] Exploiting Undocumented API to Regenerate Google Ser...
       ___________________________________________________________________
        
       Exploiting Undocumented API to Regenerate Google Service Cookies
        
       Author : snagg
       Score  : 34 points
       Date   : 2024-01-10 20:46 UTC (2 hours ago)
        
 (HTM) web link (www.cloudsek.com)
 (TXT) w3m dump (www.cloudsek.com)
        
       | k8svet wrote:
       | I've had a hard time with this one, not having time to dig in:
       | 
       | 1. Why does the article describe the technique as persisting
       | through password changes, and then ends by recommending a
       | password change?
       | 
       | (answer: "Changing the password alone may not be sufficient. The
       | exploit allows the regeneration of authentication cookies even
       | after a password reset, but only once. To fully secure the
       | account, users should log out of all sessions and revoke any
       | suspicious connections.")
       | 
       | 2. Was this a flub on Google's end? How does this even happen?
       | Was the multilogin API not checking revocation like all other
       | Google APIs or what?
       | 
       | 3. Is it conspiratorial to say maybe this was intentional, or
       | intentionally not fixed here?
       | 
       | I'd seen speculation that this was used as part of some sort of
       | account recovery flow, where those invalid sessions/tokens might
       | be a useful signal. But I can't imagine why such a feature would
       | re-validate those tokens.
        
         | de6u99er wrote:
         | >Changing the password alone may not be sufficient. The exploit
         | allows the regeneration of authentication cookies even after a
         | password reset, but only once. To fully secure the account,
         | users should log out of all sessions and revoke any suspicious
         | connections.
         | 
         | TL/DR: Change password and log out of all sessions.
        
       | mdaniel wrote:
       | I believe this is the same thing that was discussed 12 days ago:
       | https://news.ycombinator.com/item?id=38806650
        
         | dang wrote:
         | Thanks! Macroexpanded:
         | 
         |  _Malware abuses Google OAuth endpoint to 'revive' cookies,
         | hijack accounts_ -
         | https://news.ycombinator.com/item?id=38806650 - Dec 2023 (102
         | comments)
        
       | urbandw311er wrote:
       | > The feature started Booming
       | 
       | What is "Booming"? Is the capitalisation intended?
        
       ___________________________________________________________________
       (page generated 2024-01-10 23:01 UTC)