Poisoned Cookies: 5 Notable Attack Vectors For Session Hijacking Using Cookies

Cookies; a childhood delight for many, a fondness that continued throughout life. When you say the word, you think of one thing – sugary treats. Otherwise, most of us are aware that cookies in the digital world are present but don’t really understand what they do. Most of our interactions with cookies online come from visiting media sites that prompt us to accept cookies. However, cookies and their use online are an important underpinning of the worldwide web, and their functionality has changed throughout the years. Many technologies associated with the internet are used for nefarious purposes, and cookies are no different.

Cookies are tiny files which you generally receive when visiting a website. These are stored on your computer, and hold a small amount of data relevant to you, the user, and the website you’ve visited. This data is usually passwords, usernames, and session tokens. For example, you may have cookies from social media accounts. When you visit the social media webpage again, the website will access the cookies it previously transferred to you. It can identify you at this stage, and tailor the page for you.

This mostly consists of automatic logins and loading social feeds, but it has some other purposes many don’t realize. A shopping cart on any e-commerce website relies on cookies. Google Maps greatly relies on cookies too. Cookies shape our personalized experience of the web.

The cookies that store your passwords are called Permanent Cookies. If you’ve ever used Password Manager on Google Chrome, these are your permanent cookies. It’s generally good practice to delete these periodically.

When you were younger (and maybe even now), you didn’t want anybody stealing from your cookie jar. With online cookies, you should remember that it’s not a great feeling. Stealing from the digital cookie jar has several different names: Cookie poisoning, Cooking hijacking, and mostly commonly Session Hijacking.

Session Hijacking is rampant. Think of every single website you sign into. It is very likely that one or more is vulnerable to session hijacking. A number of years ago, a report stated that 31% of all e-commerce sites were vulnerable to session hijacking, and it’s only gotten worse. So how does it work?

When you log in to a website, the server sets temporary session cookies in your browser. These cookies are in place to ensure the website knows you’re logged in. All that website needs to know that you are really who you claim are those cookies. This is where a Man-In-The-Middle (MITM) can happen. When you connect to the website, a hacker can easily monitor the network to intercept your cookies and copy their session ID. With this ID, the hacker can return to the website and present the server with your cookies, and fool it into thinking that the hacker is you.

When the hacker is in, they can do anything that you’re authorized to do on the website. This includes purchasing items, stealing company information, starting money transfers from your bank account, and stealing information that can be used for identity theft.

For large enterprise systems that use a Single-Sign System, this can be devastating as entire financial records and company documents and details are uncovered in a single attack.

The two most common versions of these attacks involve Session Sniffing and Cross-Site Scripting (XSS).

Session Sniffing occurs when a hacker uses a packet sniffer, which are often legitimate products, and scans all the traffic on the network. Included in this traffic are session cookies. The hacker will have his system set up to target these. Session Sniffing is most common on public-WiFi; coffee shops, airports, universities, city hotspots, etc.

XSS goes for a more complex approach but can often net more victims. XSS has a plethora of functionality outside Session Hijacking, but as a general rule, it occurs when a hacker injects malicious code into a vulnerable website. When a user accesses the website, it runs the code because their device trusts the website, leading to the hacker’s desired payload being executed. In the realm of Session Hijacking, XSS can be used to grab incoming cookies. This way, a popular website that is compromised can gather thousands of session IDs from users logging in.

If any of this sounds complicated to perform, it’s not. In the world of hacking, hackers are often fiercely intelligent individuals who develop malware far more complex than most of the apps we use on a day-to-day basis. Session Hijacking has been called “Hacking-For-Dummies” in the past, and a simple Google or Youtube search will give you a step-by-step guide. There are exceptions to this of course, and some methods are notable complex, which in turn makes them more effective.

Session Hijacking Attacks Using Cookies #5: WordPress XSS Exploits




WordPress evolved from a beginner’s tool for web development to the de-facto name in the industry. While still exceptionally user-friendly, seasoned users of the service have created beautifully written websites using complex methods. Systems with a low barrier to entry but a high skill ceiling are often popular ones, and WordPress is no exception to this.

One of WordPress many popular features is it’s community-created modules, namely themes and plugins.

Themes are created to give a website its look-and-feel. This can be anything to color theme, image placement, blog post listings, and general layout. Themes are the skeletal structure of a WordPress website.

Plugins, on the other hand, are not so easily defined. Plugins can be anything created by the community to augment your website. This could be a contact form, image slider, Google Analytics Aid, Drag-And-Drop page builder, and more. As of 2020, there were 70,000 different plugins available for WordPress.

Community curated systems like these can be amazing, but they’re easily abused, especially when it comes to session hijacking.

OneTone was a popular WordPress theme several years ago but has since been discontinued. It was still used after its development, which made it an attractive target for hackers – Its original developers no longer supported it. A vulnerability within the themes function.php file allowed a hacker to inject malicious code into the website’s core. When the site administrator visited his page, he was redirected to the hackers’ own domain, where his cookies could be read easily. Even when the administrator had cleaned up the infected, the hacker already had his cookies which worked as a backdoor for later unauthorized entries.

A more recent and much more severe attack came last year. Ninja Forms is a popular forms plugin that allows the administrator to add a form to their website. A legacy version of the plugin was breached using XSS attacks. When an administrator used the form, the code was executed, and their cookies were stolen. Like OneTone, this allowed the hacker administrator access into that WordPress account. Additionally, infected websites would redirect users to malicious websites that attempted various attacks if they were unprotected.

Session Hijacking Attacks Using Cookies #4: FaceNiff




FaceNiff was one of the first popular Android based session hijackers that hit the mobile market. Google Play do not allow malicious apps on their store, and so the .apk which forms the application has to be found elsewhere on the internet. It also requires the hacker to have rooted their Android.

When opened, FaceNiff will scan it’s network using Session Sniffing. Initially it only searched for Facebook logins, but the app has branched out to include YouTube, Amazon, and others.

FaceNiff is used on Public WiFi usually. Once it detects Facebook (or other) session IDs, it will immediately do the heavy lifting in terms of ID translations, and will present the hackers with email addresses and passwords used for login.

Apps like FaceNiff are extremely easy to get, and to use. Often when we thinking of hacking on Public WiFi we get a mental image of a man with his hood up hunched over a laptop in a coffee shop. This idea is somewhat dangerous as it conceals the reality. A hacker using FaceNiff is more likely to be an ordinary looking individual, sitting an airport gate on their phone – Just like everybody else.

Session Hijacking Attacks Using Cookies #3: FireSheep




FireSheep was effectively a more accessible version of FaceNiff.

Released in 2011 for Firefox browser, FireSheep would scan its network and display the list of session IDs for Facebook and other websites in the side bar. A FireSheep user could simply click on the ID it would automatically log them into the targets Facebook.

FireSheep was intended to display the Dangers of Public WiFi. This is certainly an educational proof-of-concept; however, a perhaps misguided step from Mozilla (the creators of Firefox) was to allow FireSheep as an extension on the Firefox addon store.

FireSheep required no rooting or no special knowledge, you simply had to use Firefox to run it. It was mass-adopted by would-be hackers and lead to many compromised accounts. Mozilla eventually removed it, but the damage was done.

Session Hijacking Attacks Using Cookies #2: DroidSheep




DroidSheep was developed with the best of intentions. On an industry level, it allows companies to test the security of their network and of their websites. However given it’s ease-of-use, it’s overtaken FaceNiff as the go-to mobile hijacker.

Like FaceNiff, DroidSheep must be downloaded from the developers’ website onto a rooted Android. It is much more user-friendly than its predecessor and allows for much more functionality. It can scan for any cookies relating to any website and so isn’t hindered in options. It also has the functionality to execute a number of Linux commands.

While it is prevalent among hackers, it would be misleading not to mention that DroidSheeps’ developers knew this could be an issue. Alongside DroidSheep, they released DroidSheep Guard, an app that blocks out any sniffing that the main app can do. While DroidSheep Guard is a useful tool, it does not protect the user against other sniffing applications.

Session Hijacking Attacks Using Cookies #1: Pass-The-Cookie




As session hijacking became more popular, methods to defend against it did too. One such method known to most today is 2-Factor-Authentication (2FA).

2FA works by transmitting a temporary password, or key, to a secondary device when you try login. Usually this can be a text to your phone, or a code on an authenticator app such as Google Authenticator. 2FA is a step in the right direction for securing all your accounts that offer the service and should be set up immediately.

The world of cybersecurity is effectively cyber-warfare, and just as the physical world’s warfare is an arms-race, so is cyber-warfare a cyber-arms-race. If 2FA was a leap forward by the ‘good guys’, Pass-The-Cookie is the new armament for hackers in the race for total security, or insecurity depending on your viewpoint.

With Pass-The-Cookie, a hacker will intercept the cookie the target used when logging in with 2FA. The hacker can then poison the cookie, and use it set Authentication as active for a long period of time, allowing them to freely move around within the compromised account.

This was once thought of as not possible, more so very unlikely. But since the start of 2021, there has been a series of attacks using this method. This has prompted the US government to release a report on the issue.

What You Can Do About Session Hijacking and Poison Cookies

Session Hijacking is without a doubt one of the most common forms of cybercrime. Thankfully, protection against it is simple. While no approach will guarantee 100% safety, SaferNet can get you pretty close!

Session Hijacking relies on being able to detect cookie IDs moving in a network. This assumes the network traffic is unencrypted, which is the case for most people. SaferNet uses 256-bit encryption in its advanced VPN, meaning that anyone sniffing the network you’re using could only make out garbled, nonsensical data. This shuts down network sniffing and stops session hijacking before it begins.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Leave a Reply

Your email address will not be published. Required fields are marked *