Privacy 101 🧠

What is cookie theft and session hijacking?

Cookie theft is a lot more complicated than keeping a lid on your cookie jar… Crummy cookie jokes aside, cookie theft (also called session hijacking) is one of the latest ways hackers gain access to personal data. So what is cookie theft and how are hackers using it to gain access to your computer? 

If you got this far, you probably already know about computer cookies. Since new laws on data privacy were passed in 2018, internet users started to see many more websites asking you if you accept their cookies policies.

To fully understand what cookie theft is, you need to understand what cookies are. And, more importantly, you need to know how they work.

What are cookies?

Cookies are a technology that allows websites to identify you are you browse the web. They are primarily helpful for websites with return users.

For example, if you have ever visited a news website that remembers your location it will present you with local news. If it’s a weather website, you won’t need to type in your address every time.

(For more on when to accept cookies while browsing the web, check out our guide to what are computer cookies).

Things get trickier when we start talking about third-party cookies. These cookies deserve their bad reputation, as they’re invasive and intrusive trackers of your online behavior.

The difference with third-party cookies is that they are a bit like a trail of cribs that follow you across the web. 

Remember that time you searched for a pair of new shoes? And then all of a sudden started seeing shoe ads pop up for the exact color you liked? That’s third-party cookies in action.

In reality cookies are tiny text files that are unique identifiers that allow websites to remember you. 

When you log into a website or web application, your browser knows you are logged in because the server sets a temporary session cookie. That computer session allows you to stay authenticated to a website as you continue to browse different pages on the site. 

Think about shopping on Amazon. If you had to re-enter your password and login information with every new page you opened, it would be a drag. And, when you do get logged out, it can be annoying to sign back in. Session cookies solve that by keeping you logged in.

It’s convenient – but leaves you vulnerable to hackers.

This gets tricky when a hacker can steal that session ID and navigate wherever you were logged in on the web, using that cookie and pretending to be you. It’s basically a form of online identity theft!

Cookie theft occurs when hackers steal a victim’s session ID and mimic that person’s cookie over the same network. There are several ways they can do this.

  1. The first is by tricking a user into clicking a malicious link with a pre-set session ID. 
  2. The second is by stealing the current session cookie. 

The most common cookie theft occurs over unprotected public Wi-Fi connections when a person accesses a secure website. Even if the username and password are encrypted and a site is secure, it’s still possible for a hacker to steal the session data information traveling through the unsecured Wi-Fi and hijack the session you are in. That’s why you should always

So what can hackers do after a session hijacking?

This is where things can get dangerous. 

Although hackers won’t know the password to your bank account or other secure accounts, they will be able to enter an active session you have.

This is why many websites such as banks have timeouts that require you to log back in after as little as 5 minutes of idle time.

If a hacker hijacks your session while you are logged into a bank, they will be able to take any actions that you would be able to take while logged in as well.

That includes transferring money, buying products from a store which you are logged into, accessing personal information and more.

You can prevent session hijacking through good digital hygiene practices. While you don’t need to know how to remove yourself from the internet (although that certainly would guarantee no cookie theft!), it’s important to know a few session hijacking countermeasures.

One of the most basic ways you can prevent cookie theft and session huijacking is by checking URLs. More sure websites are using HTTPS to ensure that all of your session traffic is encrypted with SSL/TLS. Most websites these days use HTTPS encryption, but it’s best always to check. This is especially true when entering personal data.

You can check if a website uses HTTPS by looking at the URL at the top of your browser. Chrome, for example, displays a lock to the left of the URL when a website is using HTTPS.

Another privacy measure is to avoid logging onto free public Wi-Fi connections, especially those without password protection. Whenever you do log onto public Wi-Fi, always use these tips to keep your information safe on public WiFi.

A third way is to implement automatic log-off when sessions are not in use. This is definitely annoying and can make it really inconvenient to browse the web. At the very least, consider setting your browser to automatically log you out every time you close the browser. This means that you can keep it open during the work day, and then wipe your session clean once work is over.

Again, not the most convenient, since you’ll need to log back into everything the following morning. But certainly much less of a pain than figuring out what to do if your identity is stolen because someone stole your cookie and hijacked your session!

Unfortunately, most of the security measures to prevent cookie theft or session hijacking are on the server-side of the equation that website administrators must implement.