Cookie Theft
Cookie theft has been associated with the takeover of Facebook accounts by criminals based in Vietnam. In 2021 Google cited cookie theft for the misappropriation of YouTube accounts. The principle behind cookie theft or ‘pass-the-cookie attacks’ is that access to cookies enables another browser to imitate the hacked machine including any account and password details that the compromised machine would automatically complete for account access.
Takeover of a genuine account is of more use to the criminal than simply creating a new one. In the final quarter of 2002 Meta took down 1.3 Billion Facebook accounts allegedly linked with malicious intent, or created to represent a business, organisation, or non-human entity. With access to an existing account any personal data can be sold on or used to build up a profile for phishing. Another bonus is that the stolen account has age and believability making it a more convincing platform for launching fraud. Verified account marks such as Twitter Blue are particularly attractive as this indicates trust dating back to before the hack. The original account holder could find it difficult to prove ownership when a hacker has control and has changed all related passwords and contact details. All the measures put in place to safeguard an account are now working against the legitimate owner. Data such as images documenting past experiences may be deleted by thieves and might not be recoverable even if legitimate access to the account is restored.
It is relatively easy to see the cookies that are stored locally although the exact location will vary depending on the browser and Operating System in use. As an example the author’s machine (running Firefox) has stored a file ‘logins.json’ which includes details of websites, user names and passwords. The user name and password information is encrypted but software exists that claims to be able to decrypt this. If the account details for the browser are known then the rogue browser will simply read all the data into clear text.
It is unlikely that a phishing attack will get a target to directly disclose this information but if they can be fooled into downloading software that intercepts traffic or allows remote control then relevant data can be quietly siphoned off. The user may have been infected through malicious websites or downloads. Some of these attacks install, steal cookie data then delete themselves leaving no trace of the attack except the consequent loss of account control.
Many cookie files are not stored but are kept in memory while browsing a site. These can be viewed from within a browser but are lost when the browser is closed. If the hacker can set up a man-in-the-middle attack they can impersonate a target site and these session cookies are stored on the hacker’s computer not that of the intended user.
Phishing attacks are often sophisticated and any user needs to be aware of information requests even from individuals or bodies that ought to be trusted. There are methods to reduce the likelihood and impact of social media account theft through possible cookie theft.
Although dated the advice to take care on http web sites still holds true. Most web pages are now https so any web packets will be encrypted, unlike http sites where any traffic including passwords are passed to the Internet in the clear. Modern browsers highlight and warn against http pages for this reason although they are unlikely to be a threat if no data beyond the page request passes to and from the user.
In the case of specifically protecting cookie data.
- Use browser settings to delete older or all cookies.
- Review which passwords are stored within a browser.
- Avoid re-using passwords and account names.
- Be wary of sharing browser accounts between work and home machines.
- Do not send account details over public WiFi.