You most likely, within this week, have encountered several pop-ups in websites you logged into or even just visited, prompting you to “Accept Cookies.” Cookies are a simple way websites identify you while you’re surfing as well as manage sessions (depending on the type of cookie).
Cookies are a simple way you stay authenticated to a particular site. To do this, your browser sets a temporary session cookie. Hackers steal cookies by stealing cookie IDs. From here, a malicious user can manipulate a browsing session and steal the one you are in.
For example, if your cookie isn’t set with a secure flag by the web server of the site you are visiting, the cookie may be vulnerable to theft. Find out more below.
What is Cookie Scraping?
Establishing what cookie scraping is would offer you more clarity before answering the question, “Can my cookie be stolen?”Cookie scraping is known by many names – cookie stealing, session hijacking, or cookie hijacking.
Everything begins with a user initiating a session when he logs in to a particular website. This may be internet banking. The session expires when he logs out. This attack is possible when the attacker knows details about the user’s session.
In many cases, logging into a web application prompts the server to establish a temporary session cookie in the browser. Session hijacking is impossible if the attacker doesn’t know the user’s session ID or key. A user’s cookies can also be hijacked if he’s forced to click on a malicious link say from a phishing email or smishing text.
What are Different Types of Cookies?
First party cookies
This type of cookie is set up by the website a user visits. Pageviews, several users, and sessions can only be calculated from the data obtained from first-party cookies. Who has access to such data? Well, publishers do. This data afterward could be shared with advertisers or agencies for ad-targeting.
Analytic tools like Google Analytics also need first-party cookies to conduct data analysis. Afterward, such data are presented in tabular form or like graphs so that publishers can understand them.
This type of cookie is set by domains that are not used specifically by a user. Publishers must have added third-party elements like ads or social plugins to their site in cases like this.
Once installed, third-party cookies monitor and collect the users’ details for ads and behavioral advertising. A typical example is a user adding a YouTube link to their blog. Whenever this link gets clicked, the user’s browser will receive an additional YouTube link. Cookies like this track you until their expiration.
The lifespan of cookies is short. They expire immediately when a user logs out of the web browser. Cookies like this have a lot of uses. The most popular use is for e-commerce websites to remember the user’s item in a cart.
HTTPS websites can only establish secure cookies. Cookies like this run on encrypted data. E-commerce websites use secure cookies to enable safer transactions. Other sensitive services like online banking also require secure cookies to tighten security. How Do Hackers Steal Cookies?
These are the most common methods of cookie theft:
This method requires an attacker to access the login page of a particular web application. The session ID the attacker is given by the web app is then sent to the victim in a phishing email along with the URL of the site.
A diligent attacker will choose a site that he/she knows that the victim accesses or has an account with. When the user clicks that link and logs in, the attacker will have the victim’s session and can now roam free in their account. This is what a typical session fixation looks like:
A hacker uses a packet sniffer for this method. Packet sniffers monitor network traffic for troubleshooting, security, and administration tasks. Session cookies are part of network traffic. Hence hackers can track them and steal them very easily, using sniffers. Sites can be vulnerable to session sniffing especially when using an interception proxy.
Cross-site scripting (XSS)
A hacker can also run a dynamic security scan with the aid of OWASP ZAP. He can immediately launch an attack if he spots a persistent session cookie. ZAP can also find XSS vulnerabilities on a web page.
The next thing he can do is initiate session hijacking to steal the information in the persistent cookie. On the other hand, Burp can also be used to capture cookies and even manipulate sessions. For this kind of attack, changes can be made to the cookies. All the server can do is respond to those changes.
How Do I Prevent Cookie Hijacking?
Here is how to prevent cookie hijacking:
- Install powerful antivirus and use a virtual private network (VPN): Always ensure the device you’re surfing the internet with has anti-malware software installed in it. This will stop a lot of malware threats and notify you promptly when you visit a malicious website. The VPN will encrypt your network traffic, keeping you safe on public Wi-Fi and at home.
- Stay away from suspicious links: Public forums and blog posts are common target spots for hackers. Don’t click links you don’t trust, no matter how compelling the message is. Stay clear of the ones that offer unbelievable discounts or attractive offers.
- Clear cookies: You should always clear your cookies. This wipes sensitive data off your machine and browser. Browsers like Google Chrome are especially famous for storing data. Clearing the cookies and other site data stays one step ahead of a hacker’s attack.
A user’s natural defense is to stay vigilant when browsing and checking email or messages. It is also a good idea to beef up your security posture by using third-party tools to protect yourself.