5 min Security

Cookie stealing kits represent yet another cookie headache

Cookie stealing kits represent yet another cookie headache

In the never-ending game of whack-a-mole between cybersecurity teams and malicious actors, cookie hijacking is a trending threat. As teams get smarter about using secure passwords and multi-factor authentication, hackers are using cookies to gain unauthorized access to sessions and accounts.

As a result, developers and app owners are rapidly developing a love-hate relationship with cookies. On the one hand, cookies are the best way to authenticate sessions and track users. On the other hand, they are proving to be a source of growing problems.

People have already spent years grappling with the data privacy issues raised by third-party cookies. Marketers and publishers have invested a great deal of time and effort in developing strategies that end their cookie dependency and help them maintain effective digital marketing, once Google makes good on its commitment to phase them out.

Just as we were getting to grips with that cookie challenge, the threat of cookie hacking started ramping up. Now security teams need to adjust their practices and controls to manage and mitigate this threat.

Cookie hijacking involves hackers stealing session cookies, the small files which apps and websites use to recognize a returning user and offer personalized experiences. It’s not a new development — criminals have been using them for years — but their use has skyrocketed in the last few months.

Until recently, most hackers tried to access usernames and passwords as a way to get into user accounts. But the rise of multi-factor authentication (MFA), stronger passwords, biometrics, just-in-time protocols, and advanced passkeys has made cookie stealing much more appealing to criminals. Now they don’t have to contend with authentication or verification, because the user is still logged in.

What’s more, cookie-based hijacking into Google accounts can give hackers much richer pickings than stealing passwords. Google’s MultiLogin endpoint, which synchronizes accounts across Google services and its Password Manager mean that once a hacker slips into someone’s Google account, they can move freely throughout their network, reset passwords, steal sensitive data, carry out ransomware attacks, and more.

This is why vulnerabilities related to Google cookies are particularly noteworthy. Criminals recently discovered a zero-day vulnerability in Google’s OAuth authentication system. They regenerate persistent Google cookies, extract Google Accounts and ID Administration (GAIA) IDs and encrypted tokens, and then decrypt them using a key stored within Chrome’s UserData directory. Hackers can now use Lumma information stealer apps that carry out these tasks for just $250 a month. They don’t even need tech knowledge.

The new style of cookie hijacking attack is especially tricky to detect, because they occur swiftly and leave no persistent presence to aid discovery. With fast uptake across the dark web, they pose a whole new set of problems for cybersecurity teams.

It doesn’t help that Google is largely downplaying the issue. The mega-corporation announced a series of patches and promised to act to secure any compromised accounts.

Google also “reassured” the general public that you can revoke stolen cookies by simply signing out of any affected browser. While this is true, it’s of little help if criminals have already reset all your passwords, stolen your sensitive work, financial, or health data, and/or locked you out of your accounts.

The underlying theme of Google’s response is that cookies are meant to store session data, so this is not a bug or a vulnerability. It’s more like a feature that must be protected. Effectively, Google is handing responsibility over to users to establish our own defenses.

Cookies need your protection

Defense against cookie hijacking demands higher standards of security. The vast majority of people are largely unaware of the problem, partly because security education focused on passwords for so long, so the first step here is to further enhance awareness training.

Employees need to be educated not just to change their passwords frequently and set up MFA, but also to disable “remember me” or “remember this device” options, since those allow browsers to set up persistent cookies. It’s important to frequently delete all cookies from your browser, and log out entirely every time you finish a session, especially when it comes to sensitive accounts.

Existing security measures remain more relevant than ever. As Google points out, every session cookie is potentially vulnerable to infostealer malware, so you need to redouble your efforts to prevent the malware from arriving at your device. Powerful antivirus software is crucial to keep malware at bay, but it won’t solve everything.

Effective endpoint monitoring and swift remediation are both still necessary. As mentioned above, cookie stealing is hard to detect, so you need to know about the presence of infostealer malware as quickly as possible so that you can take steps to mitigate it. Acting  quickly reduces the risk of stolen, active data being used for follow-up attacks.

However, it’s not enough just to clear infected devices; the stolen data could still be operational for many months. You’ll need to gain visibility over all compromised data and devices, invalidate all open session cookies, patch vulnerabilities, and reset exposed application information. Only then can you catch your breath and feel confident that the attack won’t escalate into a serious security incident.

At the end of the day, cookies are still a necessary evil, and cookie hijacking isn’t going away any time soon. Currently, there’s no way to operate without them, so the only option is to attempt to keep one step ahead of the cybercriminals who try to hijack cookies and use them to infiltrate your networks. Constant vigilance, effective education, and robust security tools can help you protect your organization from cookie hijacking and other threats.

Asim Rahal is an independent consultant who plans and executes IT security strategies and compliance practices across environments. An incurable evangelist of cloud security, data protection, and cyber risk awareness, Asim has been published in Dark Reading, TechTarget, and InfoQ.