Comment on Hackers discover way to access Google accounts without a password
lemann@lemmy.dbzer0.com 8 months agoWow, this sounds a lot more serious than session hijacking. Are they straight up using Chrome’s special token to generate brand new Google Account session tokens?
If so, i’m not sure how Google is going to fix that without wrecking the Chrome user experience for non tech savvy individuals
Lojcs@lemm.ee 8 months ago
They’re using some Google api to generate the cookie(s?) with the manipulated chrome token. To me it kinda sounded like Google is using an improper method to generate the chrome token and the hackers found a way to derive other valid chrome tokens from it. Though I’m not an expert. Read it yourself to get the right picture.