Articles worth reading
Best VR Headset for VRChat

Best VR Headset for VRChat

access_time June 29, 2022

Nowadays, travelling and meeting new people over long distances has become very difficult. But the online platform VRChat makes it

Global Artificial Intelligence Experts Sound the Alarm

Global Artificial Intelligence Experts Sound the Alarm

access_time February 27, 2018

Scientists warn of the malicious uses of Artificial Intelligence  A group of scientists has approved the “Barcelona Declaration”, the first

How to perfectly set up Find My iPhone to Always Keep Track Of your iPhone

How to perfectly set up Find My iPhone to Always Keep Track Of your iPhone

access_time April 1, 2019

You may have bought the all expensive iPhone but that does not mean you’re not likely to lose it. Now

Blog

What is Cookie Theft and Session Hijacking?

What is Cookie Theft and Session Hijacking?

access_time August 30, 2022 remove_red_eye 253 views

A few browsers display cookie data when you navigate to the preferences area. Later, it has become common to hide. However, it doesn’t indicate that attackers can’t access it. They can use Cross-Site Scripting (XSS) to steal them, which you have stored. That is called cookie theft. While transiting, it is also visible. You can find it in plain text in the headers of each request to the web server. If attackers are noticing network traffic, they can see it. This procedure is simple on an open Wi-Fi network, which you can find at coffee shops and other businesses.

What are Cookies?

The HTTP Cookies, internet cookies, browser cookies are a tiny blocks of data created by the server, while you browsing a website and it is stored on the user’s browser. They enable servers to store important data. There are various types of cookies such as authentication cookies, tracking cookies etc. Each of them has their own functions.

What is Cookie Theft?

Cookie theft is called a “pass-the-cookie attack.” It is one of the sessions hijacking tactics through which attackers can access user accounts. These keep the session data stored in the browser. Therefore, it usually occurs while attackers steal the session ID of any victim.

When Does Cookie Theft Occur?

It occurs while a third party copies unencrypted session data and uses it to act as another person to the original user.

In addition, it occurs while we access trusted sites over an unprotected or public Wi-Fi network. They can encrypt the username and password of any site, but it’s not possible for the session data.

They usually execute it in two common ways, which include:

  • First, they trick users into tapping on a malicious link with a pre-set session ID.
  • They steal the recent session data.
  • As per reports, it occurs while an attacker accesses a secure website via an unprotected public Wi-Fi connection. Although you encrypt the credentials in transit, hackers can access the session ID and data.

How Does Cookie Theft Work?

Attackers access sites by copying a person’s cookie over the same network. After that, they can do malicious actions. For example, hackers can generate false posts in your name to transfer money out of a bank. But it relies on the sites which hackers access while monitoring the network. Nowadays, an attacker can monitor the packets easily using hacking software.

It is possible to avoid cookie theft by only signing in over SSL connections or employing HTTPS protocol to encrypt the connection. However, it is always better not to access sites over unsecured networks.

Suppose there is a website used to store the user’s login state by creating the terrible security choice as plain text.

<?php

setcookie(‘user_id’, 42);

setcookie(‘logged_in’, true);

?>

You can find the response in plain text.

HTTP/1.0 200 OK

Content-type: text/html

Set-Cookie: user_id=42

Set-Cookie: logged_in=true

After that, each request back to the web server will show the values in plain text.

GET /any_page.php HTTP/1.1

Host: 55.66.77.88

Cookie: user_id=42; logged_in=true

When hackers see the information, they steal it easily. After that, they will forge a request and add the information to act as if it were theirs. They can set these to the values or forge the requests including “user_id=42; logged_in=true”.

Hackers can modify the values also. For instance, they can try “user_id=1; logged_in=true” to see if it can grant access to another account.

How To Be Safe From Cookie Theft?

It is possible to avoid these by taking measures like:

  • First, you should analyze the malware detection and warnings using your antivirus software.
  • You should not tap on suspicious links or messages.
  • Try virus scanning before installing software.
  • Turn on “Enhanced safe browsing protection” mode in the Chrome browser.
  • Turn on 2-step verification to your accounts.
  • Be conscious regarding encrypted archives.

The best thing is not to put anything of value in them where it could be intercepted. You should store only non-sensitive data. For instance, you can store a user’s language preference or most recent choice to sort a data table. These aren’t sensitive. Hackers might get something from them.

If you want, store sensitive data in a server-side session. A session means a file or database record on the server side containing the user’s data. Remember that sensitive data always exist on the server. Therefore, you can’t observe these in transit or storage of the user’s browser.

Instead, they send the browser a reference identifier (“session ID”). Hence, the session ID must be a unique and long string to stop random guessing. Although the data is not noticeable in transit, remember that the session ID is noticeable in transit. Therefore, you can take extra precautions.

It is best to set the expiration dates. Don’t allow them to linger. When these are valid for longer, hackers get more time to exploit them. If you make one with an expiration date, the web browser will delete it after that date.

Try to set them with a domain and path specified. It is available via a primary domain (“site.com”) by default. If you can specify a more restricted subdomain (“store.site.com,” “upload.site.com,” or “members.site.com”) or file path, you can use them only for those URLs. It is an application of the Principle of Least privilege.

Encrypt The Data:

You can encrypt the data using a two-way encryption algorithm for sensitive items. However, all algorithms don’t support it. Still, you can both encrypt and decrypt the values. The benefit of encrypting them is that the data is never available in plain text, transit, or storage if other protections fail.

Sign Cookies:

These allow you to sign as protection against modification. Although people can do it with any of them, it is possible with the encrypted values as the original value is obscured.

Signing indicates the calculation of a checksum for the information. It means running the value via an algorithm returning a similar string every time.

After that, the checksum might be appended to the data. Sometimes, people use a token to separate the value from the checksum. Once people receive the data, the string will be split. If these match, the value is similar. If these do not match, the value has been modified.

We have given here an instance of signing a string in PHP:

<?php

function signing_checksum($string) {

$salt = “qi02BcXzp639”; // makes process hard to guess

return hash(‘sha1’, $string . $salt);

}

function sign_string($string) {

return $string . ‘–.’ signing_checksum($string);

}

function signed_string_is_valid($signed_string) {

$array = explode(‘–‘, $signed_string);

// if not 2 parts, it is malformed or not signed

if(count($array) != 2) { return false; }

$new_checksum = signing_checksum($array[0]);

return ($new_checksum === $array[1]);

How Do YouTube Creators Get Targeted?

Usually, YouTube video content creators give their email IDs for business purposes. Hackers use email addresses to send forged business emails. These appear as an existing organization and soliciting participation in a video commercial. In addition, hackers send an email introducing the company with their offerings to the chosen email address.

As soon as users want to have the offer, an email appears with a malware landing page disguised as a software download URL.

Once you tap the link, hackers can give crafted malware-infected files and the user’s YouTube channel login cookies. After that, they encrypt the result of the file, making it harder to identify the intentions. In addition, they can hijack the users’ YouTube accounts and channels. They don’t require a username or password.

The Bottom Line:

Research shows that hackers have already exploited more than 1,011 domains connected with bogus firms to give malware. Luminar, Cisco VPN, and Steam games are names of websites that impersonate legitimate software sites.

Frequently Asked Questions:

  • Can you get hacked through these?

You might be a victim of “session hijacking.” Attackers access browsers and mimic users to steal them from that browser.

  • How do these get stolen?

It occurs while third parties copy unencrypted session data to impersonate users.

  • How do hackers steal them?

Hackers perform these attacks using malware to steam these from browsers. It generally depends on phishing techniques where their motive is to trick victims into tapping harmful links. When victims download malware on their computer, it will steal session data and share it with the hacker.

folder_openAssigned tags
content_copyCategorized under