A new Kaspersky report reveals that 87% of randomly surveyed websites display cookie notifications, yet most users remain unaware of the serious threats posed by these small data files. Cookies are text files stored by browsers to enhance website functionality and track user activity, and they sometimes become targets for cyberattacks. One such threat, session ID hijacking, involves attackers gaining unauthorised access to users’ active sessions on websites. This could potentially give attackers access to sensitive data or the ability to perform actions on a victim’s behalf, like setting up unauthorised transactions. With global regulations like GDPR and others mandating transparency in data collection, the report emphasises the critical need for robust cookie management to protect personal and corporate information from exploitation.
Depending on the website’s configuration, cookie files can store a variety of data including browsing preferences, personal details such as phone numbers or payment information, and even login credentials. Attackers can steal these cookies to hijack a user’s session on a website. For instance, with a session sniffing technique, attackers might intercept a user’s session ID on public Wi-Fi, or if the site uses HTTP protocol instead of HTTPS. Cross-site scripting (XSS) allows attackers to inject malicious scripts into a website, which are executed in a user’s browser to steal session IDs or other cookie data. Session fixation is used by attackers to trick victims into using a pre-set session ID, allowing access to their account after authentication.
In a real-life scenario, if an attacker intercepts a user’s session ID while the user is logged into an online store, the attacker can, for instance, get the shipping address or access the user’s payment credentials if the session grants access to the account’s payment settings. Thus, session ID hijacking can lead to privacy breaches, financial loss, as well as account compromise or even identity theft. The user may also face reputational damage if the attacker misuses their account to send fraudulent messages or make unauthorised posts.
“Cookies are the backbone of seamless online experiences, enabling everything from personalised settings to streamlined logins, but they’re also a target for hackers if not handled with care. Without proper safeguards, attackers can exploit session IDs to hijack user accounts, steal sensitive data, or even manipulate website interactions, making it imperative for developers to prioritise security measures and for users to stay proactive in protecting their digital footprint,” comments Natalya Zakuskina, Senior Web Content Analyst at Kaspersky.
To counter these threats, Kaspersky recommends users the following:
- Avoid browsing HTTP-based websites and should never input any sensitive information on these websites as it is easily intercepted. Users should also avoid sharing sensitive or confidential information when using public Wi-Fi networks without virtual private network (VPN).
- Opt for minimal cookie acceptance when possible. Remember to clear browser’s cookies and cache regularly.
- Enable two-factor authentication, avoid clicking on suspicious links, and regularly clear browser data.
Website developers should enforce HTTPS, use HttpOnly and Secure flags, implement CSRF tokens, and adopt cryptographically secure session ID generation.
Discussion about this post