Multi-factor authentication (MFA) is a good security measure, most of the time. For example, it allows a company to add an extra layer of security to its VPN. The user, in addition to a (hopefully) strong password, needs to enter another code, which can be accessed from another device. It could be a smartphone via SMS or authenticating apps like Couple or Google Authenticatoror even hardware devices like Yubikey.
Nowadays, a lot of online services on the web also use this technology and more and more people will adopt MFA, which is of course good.
However, what happens when a user has authenticated their access to such a website? How is the session handled from the server’s point of view? The answer is in a single word: cookie.
Session cookies
The way most websites handle authentication is through cookies, small files stored by the browser. Once authenticated, the session cookie maintains session state and the user’s browsing session remains authenticated (Figure A).
Picture A
Each cookie is stored in the browser’s database containing a list of parameters and values that, in some cases, includes a unique token provided by the web service once the authentication is authenticated. .
Session cookies, as their name suggests, persist as long as the session is open.
UNDERSTAND: Mobile device privacy policy (TechRepublic Premium)
Threats
Threats, as exposed in a recent one publication from Sophos, it’s pretty simple: “Cookies related to web services authentication can be used by attackers in ‘cookie bypass’ attacks that attempt to impersonate the legitimate user the cookie was originally intended for. grant and gain access to web services without login challenges” (Figure B).
Figure BUG
The most common way to steal such cookies is through malware, which sends exact copies of the session cookie to the attacker. Some credential-stealing malware also offers cookie-stealing functionality, and we expect this functionality to appear in most of these types of malware in the future, as MFA today deployed and used more and more.
Cookies can also be sold, in the same way that login information is sold. People might think that session cookies won’t last long enough to be sold, but that’s not the case, depending on the configuration of the client and server, session cookies can last for days, weeks, or even months. Users tend to avoid multiple authentication if they can avoid it, and so they often click on options provided by websites to prolong their session and not close it before a long time, even when the browser has closed and reopened.
A cybercrime marketplace called Genesis, famous for selling credentials, also sells cookies. Members of Lapsus $ the extension team claims they bought a stolen cookie, providing access to Electronic Arts. This allowed the threat actor to steal approximately 780 gigabytes of data that was used to attempt to blackmail Electronic Arts.
Cookie stealer infection
A user’s computer can be infected with cookie-stealing malware just like any other type of malware.
Sophos reports that malware operators often use paid download services and other non-targeted approaches to collect as many victims’ cookies as possible.
One effective approach is to store the malware in large ISO files or ZIP archives, which are then advertised through malicious websites as installers for pirated commercial software. / unlocking.
They may also be available through a peer-to-peer network.
Cookie stealers can also arrive via email, usually archives containing malicious downloaders or droppers for malware.
Finally, cookies are also a powerful resource for targeted attacks. Once attackers have successfully infiltrated a computer, they can actively look for cookies, in addition to valid credentials. Once discovered and stolen, they can be used to increase an attacker’s list of methods to stay in the network. Attackers can also abuse legitimate security tools like Metasploit or Cobalt Strike to take advantage of session cookies.
UNDERSTAND: Password Breach: Why Pop Culture and Passwords Don’t Go Together (Free PDF) (TechRepublic)
How can websites provide better protection for their users?
Many web-based applications implement additional checks against cookie session hijacking. In particular, it can be effective to check the IP address of the request against the IP address used at the start of the session. However, it seems difficult for apps that are built to combine desktop and mobile usage. In addition, an attacker already on the intranet can still hijack cookies from the user.
Shortening the lifespan of cookies can also be a security measure to take, but it means users will need to authenticate more often, which may not be desirable.
On the network, cookies are never transmitted in clear text. It should always be transmitted using SSL (Secure Sockets Layer). This is in line with security recommendations about websites running entirely on HTTPS instead of HTTP. Cookies can also be encrypted using a two-way algorithm.
How can end users protect themselves from cookie theft?
Cookies can only be stolen through two ways: through the end user’s computer or through network communication with a web-based application.
Users should enforce encryption when possible and favor HTTPS over HTTP. Users should also regularly clear their session cookies, but that means they’ll have to re-authenticate as well.
However, the main risk still lies in having their computer infected with cookie-stealing malware. This can be prevented with general computer security cleaning. Operating systems and software always need to be updated and patched to avoid being compromised by a common vulnerability.
Security solutions should also be implemented to detect any malware that will be downloaded or received via email.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.
