I thought session hijacking could only be done with 1st party cookies from google itself. I didn’t know you could session hijack with 3rd party cookies. That’s pretty interesting.
Comment on Hackers discover way to access Google accounts without a password
hperrin@lemmy.world 8 months ago
This isn’t new at all. This is called session hijacking, and it’s been around for decades.
pineapplelover@lemm.ee 8 months ago
hperrin@lemmy.world 8 months ago
The article mentions third party cookies, but it’s talking about hackers stealing first party cookies (specifically authentication cookies).
Lojcs@lemm.ee 8 months ago
I would guess they invalidate all sessions when password is reset, that part is weird
lemann@lemmy.dbzer0.com 8 months ago
Wow, this sounds a lot more serious than session hijacking. Are they straight up using Chrome’s special token to generate brand new Google Account session tokens?
If so, i’m not sure how Google is going to fix that without wrecking the Chrome user experience for non tech savvy individuals
Lojcs@lemm.ee 8 months ago
They’re using some Google api to generate the cookie(s?) with the manipulated chrome token. To me it kinda sounded like Google is using an improper method to generate the chrome token and the hackers found a way to derive other valid chrome tokens from it. Though I’m not an expert. Read it yourself to get the right picture.