Comment on Hackers discover way to access Google accounts without a password
Lojcs@lemm.ee 10 months agoI would guess they invalidate all sessions when password is reset, that part is weird
Comment on Hackers discover way to access Google accounts without a password
Lojcs@lemm.ee 10 months agoI would guess they invalidate all sessions when password is reset, that part is weird
lemann@lemmy.dbzer0.com 10 months ago
Wow, this sounds a lot more serious than session hijacking. Are they straight up using Chrome’s special token to generate brand new Google Account session tokens?
If so, i’m not sure how Google is going to fix that without wrecking the Chrome user experience for non tech savvy individuals
Lojcs@lemm.ee 10 months ago
They’re using some Google api to generate the cookie(s?) with the manipulated chrome token. To me it kinda sounded like Google is using an improper method to generate the chrome token and the hackers found a way to derive other valid chrome tokens from it. Though I’m not an expert. Read it yourself to get the right picture.