How Hackers Can Pretend to be You Online by Stealing Cookies

When you log in to a service online, you start a session. Every website and web service identifies a user by their own unique session ID. If your personal session ID finds its way into the hands of a hacker, they can masquerade as you on a website. This is known as session hijacking. 

Session hijacking is fairly uncommon nowadays, as online security has increased dramatically over the past decade. Nevertheless, it is important to understand the risks that a hijacked session poses, as well as how they can be mitigated, should you find yourself in an outdated or insecure part of the net. 

What is a Session? 

Simply, a session is the way a website tracks you as you move between pages and interact with the website. A session cookie is created on a website’s server when you log in, and is deleted when you log out. This session cookie makes it easy for a website to know it is still you, and makes the web browsing experience much more convenient and hassle-free. Without session cookies, you would have to authenticate yourself every time you do something on a site. 

Because session cookies are everywhere for good reason, they also make prime targets for hackers. With session cookies being created for every site every time you log in, a hacker knows when and where to set their sights. 

Ramifications of a Stolen Session 

A stolen session could have consequences as dire as a stolen ID, depending on which website or web service the attacker targets. With a session hijack, a hacker can pretend to be you on a website without even having to hack into your account. 

Say, for example, the cookie for your online banking application is stolen, a hacker could transfer money from your bank account without even having to bypass the security checks put in place by the bank app. A stolen session ID could also be used to access the restricted data a business may keep on the company network, which can lead to data breaches or ransomware attacks. For organisations with single sign-on systems, a stolen session ID could give a hacker access to multiple password-protected applications within the organisation’s network. 

How Does Session Hijacking Happen? 

Session hijacking that occurs as a result of a stolen session cookie is most common and is described as application level or HTTP (Hypertext Transfer Protocol) session hijack. There is another type of session hijacking, known as TCP (Transfer Control Protocol) or network level session hijacking, however this type does not involve cookie theft, instead targeting information as it is transferred between the user and the website’s server. Below is a list of types of application level (HTTP) session hijacking attacks. 

Cookie Theft Malware 

This type of attack uses malware to steal cookies from a user’s browser. This attack usually relies on phishing techniques to trick victims into clicking dangerous links or downloading malware on their computer. Once downloaded, the malware will steal the victim’s session cookie and transfer it back to the hacker. This type of attack is very popular, and is now seeing a resurgence as it becomes harder for hackers to directly access a victim’s account. 

Side-Jacking 

Side jacking relies on insecure channels and user input to make an attack. An attacker will use a packet sniffer to see what the victim is doing online, and can intercept the cookie as when it is sent to a website’s server for verification. These attacks generally occur on insecure Wi-Fi hotspots so the attacker can see what the victim is doing publicly. 

Session Fixation 

This is another attack that relies on phishing. A hacker will provide their victim with a session key by linking the victim to a valid login form on a trustworthy site but with their own session key injected. When the victim logs in, it associates the session key to the victim, allowing the hacker to use this session key to hijack the session. 

Cross-site Scripting (XSS) 

XSS attacks rely on insecure or compromised websites to hijack a session. Compromised websites may have vulnerabilities that allow hackers to inject scripts that affect how the website is run on the client side. This means a hacker may link the victim to a compromised site, but the link has been injected with scripts that the victim’s browser will execute when they click the link. These scripts can be used to look for the victim’s session cookie when they connect to a compromised website and send the cookie off to the hacker. 

Preventing Session Hijacking 

A lot of session hijacking attacks happen due to the limitations of HTTP. A good start to minimise the chance of your session being hijacked is to make sure that a site you are accessing starts with HTTPS. HTTPS is the secure version of HTTP, and data sent through HTTPS is encrypted, meaning hackers can’t read your session ID as it is being sent to the website’s server. 

Avoiding public wireless networks is also a good measure. Using public Wi-Fi hotspots is convenient, but if you must use them, avoid logging in on important websites, or sending sensitive data. On open networks, hackers can easily see what is being sent and received by your device. 

Logging out at the end of every session will terminate the session, and will also terminate the hijacked session too. A lot of important web applications such as mobile banking will automatically log you out at the end of a session. It is good practise to log out of sites when you end a session just in case. 

Using antivirus software and being aware of phishing attempts will also help. Antivirus software can nip cookie stealing malware in the bud before your session is stolen. Being aware when clicking links and downloading software can prevent you from downloading any malware in the first place, as well as prevent you from clicking on links that may have XSS injections. We have a guide that can help you look out for phishing attempts here. 

How Securiwiser can Help 

With Securiwiser, you can check the strength of your organisation’s cyber security. We will provide you with real-time analysis of your cybersecurity, with helpful information on what factors may be at risk, and what you can do to improve. 

Click here for a free cybersecurity report, and find out how you can secure your organisation today.