Despite Google's attempts to reassure and downplay the issue, security researchers continue to warn of an exploit that uses an unauthenticated OAuth endpoint called “MultiLogin” to restore expired cookies and login to user accounts. This vulnerability seems to be particularly popular among malware developers at the moment.
Since the first reports of the vulnerability, Google has now taken a public stance for the first time and denied the issue: It's not an API issue, but rather “regular cookie theft,” the company said. “Disturbed PCs.”
The company says it has “secured the compromised accounts” and that the API is working as intended. Affected Update codes can be permanently disabled by manually logging out of the device. For the experts at Bleeping Computer, this is not a convincing answer, as it is not possible to determine how many people have actually been affected by the vulnerability, and no protection has been created for future victims.
