Taking the biscuit: why hackers like cookies so much

We explain how cyberattackers intercept cookies, the role of the session ID, and how to keep your cookies from going over to the dark side.

How to protect your cookies and session ID

Open any website, and the first thing you’ll likely see is a pop-up notification about the use of cookies. You’re usually given the option to accept all cookies, accept only necessary ones, or flatly reject them. Regardless of your choice, you probably won’t notice a difference, and the notification disappears from the screen anyway.

Today, we dive a little deeper into the cookie jar: what cookies are for, what types exist, how attackers can intercept them, what the risks are, and how to stay safe.

What are cookies?

When you visit a website, it sends a cookie to your browser. This is a small text file that contains data about you, your system, and the actions you’ve taken on the site. Your browser stores this data on your device and sends it back to the server every time you return to that site. This simplifies your interaction with the site: you don’t have to log in on every single page; sites remember your display settings; online stores keep items in your cart; streaming services know at which episode you stopped watching — the benefits are limitless.

Cookies can store your login, password, security tokens, phone number, residential address, bank details, and session ID. Let’s take a closer look at the session identifier.

A session ID is a unique code assigned to each user when they sign in to a website. If a third party manages to intercept this code, the web server will see them as a legitimate user. Here’s a simple analogy: imagine you can enter your office by means of an electronic pass with a unique code. If your pass is stolen, the thief — whether they look like you or not — can open any door you have access to without any trouble. Meanwhile, the security system will believe that it’s you entering. Sounds like a scene from a crime TV show, doesn’t it? The same thing happens online: if a hacker steals a cookie with your session ID, they can sign in to a website you were already signed in to, under your name, without needing to enter a username and password; sometimes they can even bypass two-factor authentication. In 2023, hackers stole all three of the YouTube channels of the famous tech blogger Linus Sebastian – “Linus Tech Tips” and two other Linus Media Group YouTube channels with tens of millions of subscribers — and this is exactly how they did it. We’ve already covered that case in detail.

What types of cookies are there?

Now let’s sort through the different cookie varieties. All cookies can be classified according to a number of characteristics.

By storage time

  • Temporary, or session cookies. These are only used while you’re on the website. They’re deleted as soon as you leave. They’re required for things like keeping you signed in as you navigate from page to page, or remembering your selected language and region.
  • Persistent cookies. These remain on your device after you leave the site. They spare you the need to accept or decline cookie policies every time you visit. They typically last for about a year.

It’s possible for session cookies to become persistent. For example, if you check a box like “Remember me”, “Save settings”, or some such on a website, the data will be saved in a persistent cookie.

By source

  • First-party cookies. These are generated by the website itself. They allow the website to function properly and visitors to get a proper experience. They may also be used for analytics and marketing purposes.
  • Third-party cookies. These are collected by external services. They’re used to display ads and collect advertising statistics, among other things. This category also includes cookies from analytics services like Google Analytics and social media platforms. These cookies store your sign-in credentials, allowing you to like a page or share content on social media with a single click.

By importance

  • Required, or essential cookies. These support core website features, such as selling products on an e-commerce platform. In this case, each user has a personal account, and essential cookies store their login, password, and session ID.
  • Optional cookies. These are used to track user behavior and help tailor ads more precisely. Most optional cookies belong to external parties and don’t affect your ability to use all of the site’s features.

By storage technology

  • These cookies are stored in text files in the browser’s standard storage. When you clear your browser data, they’re deleted, and after that, the websites that sent them will no longer recognize you.
  • There are two special subtypes: supercookies and evercookies, which store data in a non-standard way. Supercookies are embedded in website headers and stored in non-standard locations, which allows them to avoid being deleted by the browser’s cleanup function. Evercookies can be restored using JavaScript even after being deleted. This means they can be used for persistent and difficult-to-control user tracking.

The same cookie can fall into multiple categories: for example, most optional cookies are third-party, while required cookies include temporary ones responsible for the security of a specific browsing session. For more details on how and when all these types of cookies are used, read the full report on Securelist.

How session IDs are stolen through session hijacking

Cookies that contain a session ID are the most tempting targets for hackers. Theft of a session ID is also known as session hijacking. Let’s examine some of the most interesting and widespread methods.

Session sniffing

Session hijacking is possible by monitoring or “sniffing” the internet traffic between the user and the website. This type of attack happens on websites that use the less secure HTTP protocol instead of HTTPS. With HTTP, cookie files are transmitted in plain text within the headers of HTTP requests, meaning they’re not encrypted. A malicious actor can easily intercept the traffic between you and the website you’re on, and extract cookies.

These attacks often occur on public Wi-Fi networks, especially if not protected by either the WPA2 or WPA3 protocols. For this reason, we recommend exercising extreme caution with public hotspots. It’s much safer to use mobile data. If you’re traveling abroad, it’s a good idea to use an Kaspersky eSIM Store.

Cross-site scripting (XSS)

Cross-site scripting consistently ranks among the top web-security vulnerabilities, and with good reason. This type of attack allows malicious actors to gain access to a site's data — including the cookie files that contain the coveted session IDs.

Here's how it works: the attacker finds a vulnerability in the website's source code and injects a malicious script; that done, all that remains is for you to visit the infected page and you can kiss your cookies goodbye. The script gains full access to your cookies and sends them to the attacker.

Cross-site request forgery (CSRF/XSRF)

Unlike other types of attacks, cross-site request forgery exploits the trust relationship between a website and your browser. An attacker tricks an authenticated user's browser into performing an unintended action without their knowledge, such as changing a password or deleting data like uploaded videos.

For this type of attack, the threat actor creates a web page or email containing a malicious link, HTML code, or a script with a request to the vulnerable website. Simply opening the page or email, or clicking the link, is enough for the browser to automatically send the malicious request to the target site. All of your cookies for that site will be attached to the request. Believing that it was you who requested, say, the password change or channel deletion, the site will carry out the attackers' request on your behalf.

That's why we recommend not opening links received from strangers, and installing a Kaspersky Password Manager that can alert you to malicious links or scripts.

Predictable session IDs

Sometimes, attackers don't need to use complex schemes — they can simply guess the session ID. On some websites, session IDs are generated by predictable algorithms, and might contain information like your IP address plus an easily reproducible sequence of characters.

To pull off this kind of attack, hackers need to collect enough sample IDs, analyze them, and then figure out the generating algorithm to predict session IDs on their own.

There are other ways to steal a session ID, such as session fixation, cookie tossing, and man-in-the-middle (MitM) attacks. These methods are covered in our dedicated Securelist post.

How to protect yourself from cookie thieves

A large part of the responsibility for cookie security lies with website developers. We provide tips for them in our full report on Securelist.

But there are some things we can all do to stay safe online.

  • Only enter personal data on websites that use the HTTPS protocol. If you see "HTTP" in the address bar, don't accept cookies or submit any sensitive information like logins, passwords, or credit card details.
  • Pay attention to browser alerts. If you see a warning about an invalid or suspicious security certificate when you visit a site, close the page immediately.
  • Update your browsers regularly or enable automatic updates. This helps protect you from known vulnerabilities.
  • Regularly clear browser cookies and cache. This prevents old, potentially leaked cookie files and session IDs from being exploited. Most browsers have a setting to automatically delete this data when you close them.
  • Don't follow suspicious links. This is especially true of links received from strangers in a messaging app or by email. If you have a hard time telling the difference between a legitimate link and a phishing one, install a Kaspersky Premium that can alert you before you visit a malicious site.
  • Enable two-factor authentication (2FA) wherever possible. Kaspersky Password Manager is a convenient way to store 2FA tokens and generate one-time codes. It syncs them across all your devices, which makes it much harder for an attacker to access your account after a session has ended — even if they steal your session ID.
  • Refuse to accept all cookies on all websites. Accepting every cookie from every site isn't the best strategy. Many websites now offer a choice between accepting all and accepting only essential cookies. Whenever possible, choose the "required/essential cookies only" option, as these are the ones the site needs to function properly.
  • Connect to public Wi-Fi networks only as a last resort. They are often poorly secured, which attackers take advantage of. If you have to connect, avoid signing in to social media or messaging accounts, using online banking, or accessing any other services that require authentication.

Want to know even more about cookies? Read these articles:

Tips
  • For all other countries