Multiple information-stealing malware families are abusing an undocumented Google OAuth endpoint named "MultiLogin" to restore expired authentication cookies and log into users' accounts, even if an account's password was reset.
It's based on security hole in what I'm interpreting as a web API. You leverage a legitimatly logged in Google account on a malicious website and this web endpoint gives you keys to everything else