Hackers linked to ToddyCat have found a neat little shortcut into corporate Gmail: no password, no phishing page, just a browser session that is already signed in. Kaspersky says the new tool, Umbrij, can abuse Chromium-based browsers to pull OAuth access to Gmail data, including mail, calendars, contacts, and cloud storage.
The trick depends on a very ordinary mistake: someone leaves a Google account logged in. From there, attackers can connect to the browser through a debugging port, ask Google for a token with broad permissions, and keep moving. It is the sort of access that can sit quietly for a long time, which is exactly why it is so annoying to defenders and so attractive to intruders.
How Umbrij abuses saved browser sessions
Umbrij is aimed at enterprise Gmail accounts and works inside browsers based on Chromium. Rather than stealing a password, it rides on an authenticated session and requests OAuth access through Google’s APIs. That lets an attacker automate repeated attempts to reach organizational email at scale, which turns a single weak point into a steady intrusion channel.
- Target: corporate Gmail accounts
- Access path: saved Google session in a Chromium browser
- Method: browser debugging port plus OAuth token request
- Data exposed: mail, calendar, contacts, and cloud storage
Why this is harder to spot than a stolen password
The ugly part is persistence. If attackers get token-based access, they can read messages without triggering the obvious signs people associate with a classic account takeover. Google’s ecosystem has become both the office and the lock on the office door, which is convenient until someone learns how to pick the lock using the browser itself.
Kaspersky’s advice is simple enough, which usually means it is easy to ignore: check third-party apps attached to Google accounts and watch for browsers launched with a debugging port. For regular users, that behavior is unusual; for defenders, it is a useful tripwire. Similar browser-side abuse has cropped up elsewhere before, and the common theme is boring hygiene failing in a very expensive way.
What companies should look for next
Security teams should treat logged-in browsers as part of the identity perimeter, not just the endpoint. If Umbrij works the way Kaspersky says it does, the next wave of attacks will not need better phishing copy; they will need better operational discipline from the victim. That is a much less glamorous fix, and a much harder one to automate away.