Security Bits logo - a green padlock with the words Security Bits to the right and in tiny letters below ithat it says 10101010 indicating a digital lock

Security Bits — 21 January 2024

Feedback & Followups

Deep Dive 1 — Malware Resurrecting Google Sessions

TL;DR if you change your Google Password because you suspect your account has been compromised, you need to change your password and remove all linked devices from your account, especially if you use the desktop version of the Chrome browser (just Google’s Chrome, not other Chromium-based browsers).

This story has been bubbling away for months, but it’s been utterly lacking in detail and clarity, so I’ve never felt it was appropriate to include it in these segments. But, we now finally have enough clarity for a meaningful discussion.

For months now malware-as-a-service offerings have been claiming to support ‘resurrection’ of Google sessions. The claim was that attackers could reconnect to Google services like Google Drive even after the victim changed their password. This was a big claim, and there was no evidence to back it up, and no plausible mechanism.

Now, we know enough to verify that the claim is at least mostly true, and we understand how the attack works.

When you log into the Chrome desktop browser, a secret key is generated by the browser that represents your authorisation to use Google services. It acts as a kind of single sign-on session token, allowing you to stay logged in to all Google services so long as you stay logged in to the browser. Google provide an API that accepts these tokens as inputs and returns fresh session IDs for Google services. If an attacker steals one of these tokens, they can log into any Google service without needing to authenticate, i.e. without a password, 2FA, or Passkey.

Changing your password doesn’t invalidate existing tokens, it just stops new tokens being created! But, Google’s account security pages do provide options to terminate all sessions and remove any logged-in devices from your account.…

These tokens also have a finite lifetime, so attackers can’t resurrect sessions indefinitely.

A very important point is that the only way to steal these tokens is to hack a computer that’s logged in to Chrome. Unless you have malware on your computer, you’re not at risk from this, so the best protection is to avoid getting hacked in the first place!

There’s just one take-home message really — if you use the Chrome browser on a desktop computer, and that computer gets hacked, you need to update your Google password and invalidate all sessions and disconnect all devices from your account.


Deep Dive 2 — China Cracks AirDrop Anonymity (Probably, and with a Caveat)

There have been rumblings for years that Apple’s AirDrop does not hide Apple IDs well enough. At the root of the problem is the competing need to distinguish between AirDrop requests from people in your contact list, and protecting your anonymity.

Apple rely on cryptographic hashing algorithms to do this, and their design is not strong enough to withstand some types of attack. Security researchers have both flagged this weakness and recommended protocol changes that would remedy the problem, but Apple have not chosen to act, and probably can’t without breaking backwards compatibility with current and previous OSes.

While researchers were aware of the weaknesses in the hashes, they were not aware of the fact that receiving devices store logs of AirDrop activities, and those logs also include the weak hashes. In the past, it was assumed an attacker would need to be watching the Bluetooth/WiFi traffic as the exchange was happening. Now we know that if a phone is seized and the user forced to unlock it, the hashes of all the Apple IDs that sent files to the device can be retrieved.

The final piece of the puzzle is rainbow tables. A hash is a function that can be performed quickly in one direction, but can’t be feasibly reversed. If you know all possible inputs, you can attack hashes by precomputing the hash for each possible input and building a searchable table of all the results. This kind of table is known as a rainbow table.

It would not be possible to either build or store a rainbow table with the hashes for all possible phone numbers and Apple IDs, but that’s not necessary for a government to build a useful rainbow table. What it appears the Chinese have done is build a rainbow table that covers every existing phone number in China. It’s easy for a totalitarian government to get that kind if data from the carriers in their country! It also seems that they have precomputed the hashes for some email addresses too. It seems they have a list of Apple IDs of interest from somewhere. Perhaps they are capturing Apple IDs somewhere in the Great Firewall of China, or they were able to get the list of all Chinese Apple IDs from Apple, or the Chinese company Apple were forced to partner with to provide the data centers for the Chinese version of iCloud provided these Apple IDs.

So, what does this mean for the typical NosillaCastaway? If you’re not in China, probably not a lot. But you should be aware that any government with enough resources, and the inclination to do so, can precompute the hashes for all cellphone numbers in their country, and for any other cell phone numbers or email addresses they are interested in.

The only possible fix would be an updated AirDrop protocol, and that is unlikely to come before iOS 18 this fall, and Apple have not made any kind of promise to do any such thing, so it may never happen.


❗ Action Alerts

Worthy Warnings

Notable News

Top Tips

Palate Cleansers


When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
A link to graphical content, probably a chart, graph, or diagram.
A story that has been over-hyped in the media, or, “no need to light your hair on fire”
A link to an article behind a paywall.
A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top