Cookie Theft

Cookie theft has been associated with the takeover of Facebook accounts by criminals based in Vietnam.  In 2021 Google cited cookie theft for the misappropriation of YouTube accounts.  The principle behind cookie theft or ‘pass-the-cookie attacks’ is that access to cookies enables another browser to imitate the hacked machine including any account and password details that the compromised machine would automatically complete for account access.

Takeover of a genuine account is of more use to the criminal than simply creating a new one.  In the final quarter of 2002 Meta took down 1.3 Billion Facebook accounts allegedly linked  with malicious intent, or created to represent a business, organisation, or non-human entity.    With access to an existing account any personal data can be sold on or used to build up a profile for phishing.  Another bonus is that the stolen account has age and believability making it a more convincing platform for launching fraud.  Verified account marks such as Twitter Blue are particularly attractive as this indicates trust dating back to before the hack.  The original account holder could find it difficult to prove ownership when a hacker has control and has changed all related passwords and contact details.  All the measures put in place to safeguard an account are now working against the legitimate owner.   Data such as images documenting past experiences may be deleted by thieves and might not be recoverable even if legitimate access to the account is restored.

It is relatively easy to see the cookies that are stored locally although the exact location will vary depending on the browser and Operating System in use.   As an example the author’s machine (running Firefox) has stored a file ‘logins.json’ which includes details of websites, user names and passwords.  The user name and password information is encrypted but software exists that claims to be able to decrypt this.  If the account details for the browser are known then the rogue browser will simply read all the data into clear text.

It is unlikely that a phishing attack will get a target to directly disclose this information but if they can be fooled into downloading software that intercepts traffic or allows remote control then relevant data can be quietly siphoned off.  The user may have been infected through malicious websites or downloads.  Some of these attacks install, steal cookie data then delete themselves leaving no trace of the attack except the consequent loss of account control.

Many cookie files are not stored but are kept in memory while browsing a site.  These can be viewed from within a browser but are lost when the browser is closed.  If the hacker can set up a man-in-the-middle attack they can impersonate a target site and these session cookies are stored on the hacker’s computer not that of the intended user.

Phishing attacks are often sophisticated and any user needs to be aware of information requests even from individuals or bodies that ought to be trusted.  There are methods to reduce the likelihood and impact of social media account theft through possible cookie theft.

Although dated the advice to take care on http web sites still holds true.  Most web pages are now https so any web packets will be encrypted, unlike http sites where any traffic including passwords are passed to the Internet in the clear.  Modern browsers highlight and warn against http pages for this reason although they are unlikely to be a threat if no data beyond the page request passes to and from the user.

In the case of specifically protecting cookie data.

  • Use browser settings to delete older or all cookies.
  • Review which passwords are stored within a browser.
  • Avoid re-using passwords and account names.
  • Be wary of sharing browser accounts between work and home machines.
  • Do not send account details over public WiFi.

More from Security


eCommerce Shop Scams

Data from Security Research Labs has revealed a China based fake shopping network that they have named ‘BogusBazaar.’  They claim that: ‘As of April …

Read post


Lockbit Ransomware Takedown

In February 2024 the UK National Crime Agency released details of how the NCA and other international policing agencies had disrupted the actions of …

Read post


UK Cyber security breaches survey 2024

Lies, damned lies, and statistics (attributed to Disraeli) The UK Cyber Security Breaches Survey 2024 was published on 9th April 2024.  Not surprisingly it …

Read post


Digital Gift Card Issues

Both Apple and Google offer gift card services for use on their App stores.  Just as it states on the tin the card can …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus