back to article Google password resets not enough to stop these info-stealing malware strains

Security researchers say info-stealing malware can still access victims' compromised Google accounts even after passwords have been changed. A zero-day exploit of Google account security was first teased by a cybercriminal known as "PRISMA" in October 2023, boasting that the technique could be used to log back into a victim's …

  1. Dan 55 Silver badge

    Session cookie stealing is not an unknown thing

    We've known for a while that there's malware which copies your entire browser profile and uses it to access accounts belonging to open sessions. Google really should be checking if a session is suddenly accessed from an IP in a different country, asking for the password before allowing certain settings to be changed, and any password change should immediately invalidate all sessions.

    1. MiguelC Silver badge
      Thumb Up

      Re: Session cookie stealing is not an unknown thing

      "any password change should immediately invalidate all sessions."

      This should be enough, and easy to implement.

      1. plunet

        Re: Session cookie stealing is not an unknown thing

        Perhaps it should be an option on the password change page, with perhaps the default to invalidate all sessions and an explainer to help users choose the right thing to do.

        If you're just changing your password because you want to and not because any any specific risk, then forcing all sessions to reset might a sledgehammer to crack a nut in terms of user experience.

    2. Eric Olson

      Re: Session cookie stealing is not an unknown thing

      Not only is it a known issue, I'm pretty sure other sites offer a mechanism to invalidate all current logins to your device during password reset, mitigating this type of attack. Google even alludes to this in their response at the end, but that it's not offered during reset or change is an odd thing.

  2. Ayemooth
    Stop

    stolen sessions can be invalidated by simply signing out..

    "stolen sessions can be invalidated by simply signing out of the affected browser, or remotely revoked via the user's devices page."

    And how do I find out which of my browsers or devices (laptop? Phone? Tablet? Which browser, if I use more than one?) I need to log out from or otherwise revoke?

    1. Eric Olson

      Re: stolen sessions can be invalidated by simply signing out..

      @Ayemooth

      If you go here: https://myaccount.google.com/security after logging in to your Google Account, you can scroll down and see all the devices currently logged in. From there, you can also log out individual devices, or all of them.

      It's not the best option for most people given how buried it is.

    2. Anonymous Coward
      Anonymous Coward

      Re: stolen sessions can be invalidated by simply signing out..

      That was the only 'google comment' in their response that meant anything. Its on the devices page, whereever that is this month.

      The only problem is that this only works AFTER you've disinfected your computer...

  3. mpi Silver badge

    Passwords are dead! Let's entrust all our authentications to big tech companies!

    What could possibly go wrong...

  4. cookieMonster Silver badge
    Trollface

    Enhanced Safe Browsing in Chrome

    Works as well as “Incognito” mode???

  5. captain veg Silver badge

    Well,

    As someone who doesn't use any Google service, should I be

    a) Smug.

    b) Worried because I habitually browse using a non-Google but Blink-based browser?

    -A.

  6. Anonymous Coward
    Anonymous Coward

    Just a question...

    So that only happens on Chrome then?

    1. VBF

      Re: Just a question...

      Seeing as Edge is Chromium- based, I doubt it!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like