Comment on Hackers discover way to access Google accounts without a password
Lojcs@lemm.ee 1 year agoI would guess they invalidate all sessions when password is reset, that part is weird
Comment on Hackers discover way to access Google accounts without a password
Lojcs@lemm.ee 1 year agoI would guess they invalidate all sessions when password is reset, that part is weird
lemann@lemmy.dbzer0.com 1 year ago
Wow, this sounds a lot more serious than session hijacking. Are they straight up using Chrome’s special token to generate brand new Google Account session tokens?
If so, i’m not sure how Google is going to fix that without wrecking the Chrome user experience for non tech savvy individuals
Lojcs@lemm.ee 1 year ago
They’re using some Google api to generate the cookie(s?) with the manipulated chrome token. To me it kinda sounded like Google is using an improper method to generate the chrome token and the hackers found a way to derive other valid chrome tokens from it. Though I’m not an expert. Read it yourself to get the right picture.