Cookie Theft (SideJacking or Session Hijacking) for Normal People.

Yeah, usually these things are titled “for Dummies”, but you’re not a dummy if you don’t understand, you’re normal. This is related to the program “Firesheep” and I will attempt to make it very easy to understand the problem. The solution is a bit more complex. It all comes down to trust and discretion. Unfortunately the trust part is on the side of social networking sites and webmail providers and you are responsible for discretion.

Imagine you start a new job with a company that uses card readers to grant access to the building. When you apply and get hired the company identifies who you are and gives you a card key to get into the building. From that point on ANYONE with your cardkey can get into the building unless there are other authentication procedures, such as a PIN or fingerprint reader. Another example, you sign up for a discount with a store. You fill out a piece of paper with your name, address and phone number and they give you a magnetic card to swipe each time you make a purchase. Yeah, you can lie, but that card is tied to one person, and still you could give it to someone else or it could be stolen and used.

When you log onto a website that requires a username and password, that is when you tell Facebook, Yahoo, Amazon, or whoever it is who you are. At this point the website gives you a cookie. For the rest of the session the website is constantly looking at the cookie to determine who you are. If someone else has the cookie the website will not know it, but they will trust that it is you and provide the same access that you already have. Make sense? If I lost you, let me know and I will figure out a better way to explain it, but for now I will assume you understand it.

Consider Facebook. You log onto Facebook and give them your username and password. Facebook sends you back a cookie that they will continuously use. Facebook makes sure that anyone can use the cookie also. When you go to make a comment on a friend’s wall Facebook will read the cookie and say “yes, we know who this is” and allow you (or anyone with your cookie) to write the comment. Almost anything you (or someone with your cookie) do requires Facebook to read the cookie, determine it is you (or an imposter) and then carry out your command.

Here is where the problem comes in. When you send your username and password it is encrypted. Nobody else can see what it is, but when Facebook sends you the cookie or reads the cookie it is not encrypted. In a public coffee shop, airport, or many other places that offer free, unencrypted WIFI this means that someone else can also capture the cookie, read it, copy it and use it. The cookie is sent across the air with zero protection other than the wireless encryption (if it is turned on). Anyone can copy it and use it. Once someone else has the cookie they can use it just as if they had your cardkey or shoppers club card. They can access your account, post messages as if they were you, change some aspects of your profile, message your friends, and do many other things. The attacker will not have your password, but anything else you can do without a password they can also do.

This type of attack has long been known, but Firesheep made it easy for people with no technical skills to carry out. The problem of trust is something that the websites bear. They blindly trust without a second means of authentication. If they required the cookie to come from the same IP address each time, then this type of attack would not work. If the cookie was encrypted then this type of attack would not work. But at the moment Facebook and other sites only care that the cookie is present, not who is using it, so the attack is extremely effective and extremely easy.

As for discretion, that is upon you. If you are not on your home computer, not using a VPN, or not using SSL (https) for the whole session, then it is not a good idea to use Facebook, Twitter, Yahoo Mail, Live Mail, LinkedIn, or most other sites. Gmail is an exception, but if you have had your Gmail account for a long time you may need to make sure it is using https all of the time.

Websites that require a password really need to take responsibility and make sure that their sessions are encrypted, but that will be a while. You need to assume that when you use free WIFI that does not require you to log in with a password then everything you enter, including your username and password, is pubic information. Although Facebook encrypts the username and password, lame ISPs, like Comcast often do not.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center – ESET LLC

Author , ESET

  • Helen

    Very interesting.
    We don't do Facebook, Twitter etc but we do use gmail and we buy online from Amazon. We live in the country, miles from anywhere, I don't think our wifi router is at risk . . .
    When away from home in a camper we use internet cafés to look up gmail.
    What is VPN, what is SSL and what is the significance of https?
    What precautions can we take if we need to do Internet banking from a public computer, Internet café for example?
    Thanks for an interesting article!

  • Randy Abrams

    Hi Helen, I think I'll need to write a whole blog to answer these questions! It will be up soon.

  • Michael

    Excellent analogy to explain session cookies. 
    Your point that requiring cookies to come from the same IP address would fix things is not true, since on a normal LAN, all the computing devices appear to the outside world to be coming from the same IP address. Unless I mis-understood… 

    • Randy Abrams

      Yeah, I should have said MAC address rather than IP. The problem is that the MAC address would probably be sent in an unencrypted cookie :)

  • David

    Im only annoyed about "pubic information"

    • thesecondarything


  • A. Y. Au-Nlaro

    This is a very good and rich information. Thanks to you Randy. Please answer Helen well so we can get some more information.

  • gkdiamond

    Nice article. The attacker will not have your password but once the hacker has a cookie from a users website, as long as the user doesn't signout and has selected to "remember me" or "remember my password" wouldn't the attacker then be able to access the users account at anytime?
    You said that if the IP address was sent with a cookie it would prevent the problem but can't any website read your IP address so why wouldn't the attacker be able to read it too? 

  • Bradley Bugos

    to answer the question, try using the Safety tab on IE8 and click on Inprivate Filtering to open the secure web browser and Inprivate Browsing (make sure this is checked under the safety tab) to secure your Internet browsing session. When you click on Inprivate Filtering, a new browser will open indicating Inprivate is ON, a tab at the top of the browser will show Inprivate, and your browsing will pevent anyone seeing your browsing activity. Doing so will prevent any information being sent to web sites and companies where you have visited. In other words, the cookies will not be stored on your PC, so no one will know you visited their web site. A very nice security feature built into IE8. Make sure you have an active anti-virus software installed on your PC along with the firewall activated. This will prevent anyone gaining information about your PC and the habits you use when browsing the Internet. Hope this helps you be more safe browsing the Internet at home and on the road. Take care and happy surfing the web!

  • Larry

    This would explain how my Yahoo account was hacked, even though there was no unusual sign-in activity in the sign-in log. I had my andriod phone on and had turned on wifi at my house to download some apps, forgot to turn it off. Just when I used the yahoo email app in a public place, all my contacts received spam from me. I know they did not simply use my email address because the spam was in my sent folder…… I wish yahoo used SSL! I guess I may have to drop yahoo and go gmail. I put 2 antivirus apps on my phone, no viruses found.
    I can not think of any other explaination except for session hijacking… Is there any other explaination? 

Follow us

Copyright © 2017 ESET, All Rights Reserved.