What Is Cookie Hijacking & How Can You Help Prevent It?
Introduction
Cookie Hijacking, also known as session token hijacking is one of the easiest and most popular ways to hack into an account. It totally bypasses passwords and two-factor authentication. I know someone who was affected by cookie hijacking. Read the article here.
This article will explain the basics of cookie hijacking, how it works and how to help prevent it.
What are cookies?
First, you need to understand what cookies actually are (not edible ones).
Whenever you visit a website, like google.com, on your computer, phone or tablet, the website will more than likely put cookies on your device. Cookies are essentially small files that store information about your usage on the site, settings you have saved on the site and also your account details (in this example, your Google account details). Cookies in themselves aren't malicious and are essential for a lot of websites to function to their fullest potential. However, they can be abused and taken advantage of by hackers.
Note that when I say "account details", I don't mean that your email address and password are stored in plain text. I mean that as long as these cookies are inside your browser, you will be automatically logged into the website. If the cookies are not stored inside of your browser, you will not automatically be logged into the website.
The Primary Methods Used For Cookie Hijacking
There are three of the most common methods used to achieve cookie hijacking.
Malware and Phishing Emails
If you receive an email with a PDF file and you open it up on your computer, malware could unknowingly be installed and running in the background. This malware can then steal the cookies from your browser which contain your account details. The hackers can then inject these cookies into their own browser and they will have full access to your account.
Intercepting an HTTP Connection
When you visit a website like google.com, you probably type "google.com" into your browser address bar. Most browsers by default will interpret this as "http://google.com". Notice the protocol at the beginning is http rather than https. http is not secure and anyone can intercept this connection. Once you visit the http URL, the web server located on Google's end will redirect you to https://google.com which is secure. However, the important thing to understand is that between this transition from http to https, a hacker can intercept your connection to Google's servers and steal these cookies from your browser which contain your account details. The hackers can then inject these cookies into their own browser and they will have full access to your account.
Using XSS Attacks to Abuse Third-Party Cookies and Cross-Site Tracking
Google often legitimately send out important emails about your account with a button below it to log in to your account. If a hacker were to mimic one of these emails without you knowing that it is a phishing email and you click on this login link, you may be taken to google—account.com for example (a domain not owned by Google) which may or may not ask you to enter your login details. But whether the phishing website asks you for your login details or not, the hacker can use third-party cookies to hack into your account. The third-party cookies in this example would be from google.com because it isn't the same domain or a subdomain of the fake google—account.com domain contained in the phishing email. At this point, the hackers can perform an XSS attack to then steal the cookies from your browser which contain your account details. They can then inject these cookies into their own browser and they will have full access to your account.
How To Help Prevent Cookie Hijacking
Don't Open Files and Links Without Verifying They're Safe First
As a general rule of thumb, you should not open files and links without verifying they're safe first. VirusTotal.com is a great tool for scanning files and links.
Enable "Always Use Secure Connections" In Your Browser
This feature will mean that if you go to google.com, rather than interpreting it as http://google.com, it will interpret it as https://google.com skipping http connections altogether. The hackers will then not be able to steal the cookies during the transition from http to https to hack into your accounts.
In Brave Browser, this setting is located at brave://settings/security under the "Advanced" heading.
Enable "Block Third-Party Cookies" In Your Browser
This feature will mean that 2 websites (a fake and a legitimate one) will be unable to talk to each other and pass cookies (account details) through to each other. The hackers will then not be able to steal the cookies from the legitimate website to hack into your accounts.
In Brave Browser, this setting is located at brave://settings/cookies under the "General settings" heading as shown in the image below.
How Online Account Providers Can Help Prevent Cookie Hijacking
As explained in this Tweet, something that would almost completely eliminate cookie hijacking is to make 2FA require re-authorisation (for example, having to re-enter your 2FA authenticator app code or a code that's sent to your email address) when the cookie is injected into another browser that has a different IP address from the one that the cookie was originally used on.
See this video from ThioJoe and this video from Linus Tech Tips.
Conclusion
Hopefully you have learned a bit about the basics of cookie hijacking, how it works and how to help prevent it. This is something that more people need to be aware of as hackers are getting better and online accounts aren't keeping up to speed or deploying patches fast enough. Spread the word!
Thanks for reading.