Hackers discover way to access Google accounts without a password::‘Exploit enables continuous access to Google services, even after a user’s password is reset,’ researcher warns

  • hperrin@lemmy.world
    link
    fedilink
    English
    arrow-up
    114
    arrow-down
    7
    ·
    edit-2
    1 year ago

    This isn’t new at all. This is called session hijacking, and it’s been around for decades.

    LTT just made a couple videos about it last year, because it happened to them.

    • Lojcs@lemm.ee
      link
      fedilink
      English
      arrow-up
      58
      arrow-down
      1
      ·
      edit-2
      1 year ago

      I would guess they invalidate all sessions when password is reset, that part is weird.

      Edit: read the thing. The exploit is that they steal some special token chrome stores and by manipulating it they can generate session cookies for the hijacked account. This doesn’t seem related to ltt

    • /home/pineapplelover@lemm.ee
      link
      fedilink
      English
      arrow-up
      6
      ·
      1 year ago

      I thought session hijacking could only be done with 1st party cookies from google itself. I didn’t know you could session hijack with 3rd party cookies. That’s pretty interesting.

      • hperrin@lemmy.world
        link
        fedilink
        English
        arrow-up
        14
        ·
        1 year ago

        The article mentions third party cookies, but it’s talking about hackers stealing first party cookies (specifically authentication cookies).