Watch Out for Hackers on Your Google Accounts

Google wants to retire the password, which is why it (along with other tech giants) are pushing passkeys as a security successor. However, sometimes passwords aren’t the weak point in a security system. Case in point: It seems there’s a new cyberattack that allows bad actors to break into Google account without the need for passwords in the first place.

According to researchers from CloudSEK, bad actors are using a new form of malware that takes advantage of third-party cookies to steal information from these Google accounts. This derives from a vulnerability that occurs during cookie generation, wherein bad actors can use what’s called “session persistence practices” to keep their sessions valid even when their credentials change.

Therefore, attackers can keep their access to Google accounts without interruption by generating continuous Google cookies. Unfortunately, because this attack relies on a vulnerability in cookies, it won’t matter if the password is changed: The attackers never needed a password in the first place, and so can rely on the vulnerability to keep a persistent session no matter what the password is changed to.

Worse yet, this flaw allows bad actors to circumvent two-factor authentication. Normally, setting up 2FA with your Google account is a great way to ensure bad actors can’t break in, even if they figure out your password. But using this vulnerability, they can bypass the protections 2FA offers.

At this time, it doesn’t seem Google has a fix for this vulnerability yet. The general recommendation going forward, if you suspect your Google account has been hacked, is to log out of all devices and browsers completely until Google has a fix.