Hackers discover way to access Google accounts without a password::‘Exploit enables continuous access to Google services, even after a user’s password is reset,’ researcher warns
Hackers discover way to access Google accounts without a password::‘Exploit enables continuous access to Google services, even after a user’s password is reset,’ researcher warns
This isn’t new at all. This is called session hijacking, and it’s been around for decades.
LTT just made a couple videos about it last year, because it happened to them.
I would guess they invalidate all sessions when password is reset, that part is weird.
Edit: read the thing. The exploit is that they steal some special token chrome stores and by manipulating it they can generate session cookies for the hijacked account. This doesn’t seem related to ltt
I thought session hijacking could only be done with 1st party cookies from google itself. I didn’t know you could session hijack with 3rd party cookies. That’s pretty interesting.
The article mentions third party cookies, but it’s talking about hackers stealing first party cookies (specifically authentication cookies).