Cookies let websites identify you as you spend time online, and they’re most beneficial for websites that have return users. If you’ve ever gone to a weather website and it remembers your location based on your last visit, that’s an example of cookies in action.
When you log in to a web application or site, like a social media account or your profile on a retail website, your browser knows that you’re logged in thanks to the temporary session cookies set by the server. That session means that you can stay logged in to the site as you browse it and click through different pages. Without cookies, you’d have to log back in every time you opened a new page on that website.
This is convenient, yes, but it leaves you more vulnerable to cookie hijackers. If a hacker gains access to your session ID, they can visit the same places you did on the site, pretending to be you.
What is Cookie Hijacking?
Cookie hijacking, also called session hijacking, is a way for hackers to access and steal your personal data, and they may also prevent you from accessing certain accounts.
Hijacking cookies is just as powerful, sometimes more so, as finding out your password. It’s possible that with cookie hijacking, hackers can gain limitless access to all of your resources. For example, an attacker may steal your identity or confidential company data; purchase items; or steal from your bank account.
How Does Cookie Hijacking Work?
Cookie hijacking can occur when a malware program waits for a user to log in to the website. Then, the malware steals the session cookie and sends it to the attacker.
A cookie attack is often initiated when an attacker sends a user a fake login. The victim clicks the fake link, which lets the attacker steal the cookie – actually, anything the user types in can be captured by the attacker. The attacker then puts that cookie in their browser and is able to act as you.
Sometimes, a fake link isn’t even needed. If a user is in a session on an unsecured, public Wi-Fi connection, hackers can easily steal that data that’s traveling through the connection. And this can happen even if the site is secure and your username and password are encrypted.
Once the attacker has a user’s session cookie, they can log in to a website and do pretty much anything you could do, including changing your password. And this is often automated, so it happens in just seconds. If the attacker then enables multifactor authentication (MFA) against the victim, they may never gain access to their accounts again.
Firesheep is a great example of how cookie hijacking sometimes works. This Firefox browser extension, created in October 2010 by coder Eric Butler, eavesdropped on browsing sessions from users on a shared Wi-Fi hotspot to keep an eye out for session cookies. When it detected one, it would intercept it to take over the identity of the person who belonged to that session. This method of cookie hijacking is called packet sniffing.
Firesheep wasn’t malicious; it was intended to demonstrate how easy it was to hijack cookie sessions from popular websites when only the login process, not the cookies, were encrypted. Butler showed that with a basic cookie check, a hacker who was accessing that same hotspot could pose as another person.
More Cookie Hijacking Methods
There are a couple of other cookie hijacking methods to be aware of. With brute force attacksmalware injections; if malware infects your computer or a website you run, it can spy on you and record browser sessions.
How to Prevent Cookie Hijacking
Prevention for this type of hack ranges from utilizing advanced security technology to teaching your employees (and others) about cookie hijacking threats.
Unfortunately, advanced MFA protection and advanced cookie hijacking methods are cyclical. As one improves, so must the other. For business and website owners, implementing more MFA protection won’t always improve security – it could just make the cookie hijacking attacks more advanced.
That doesn’t mean don’t use MFA at all – it does cut down on attacks in some cases. The biggest problem is that people still click on those fake links, which is why education is so important here (more on that in a second).
Also, certain MFA forms are stronger than others. For example, text-based authentication codes are weak, while time-constrained one-time-use passwords are stronger.
Everyone should know how to spot a fake link. Often, the website address will have a misspelling that’s easy to miss if you’re not paying attention. For example, it may be spelled “Facebok” instead of “Facebook.” If you notice something like that, don’t click the link.
Also, different types of MFA solutions come with different risks. It’s up to a business’ IT department to identify those risks. Again, education is key.
More Digital Hygiene Tips
There are a few more ways to limit the risk of cookie hijacking attempts:
- Check the URL: A secure website should use HTTPS to encrypt all traffic. Look at the URL to see if it begins with HTTPS.
- Only Use Safe Connections: Steer clear of free, public Wi-Fi, particularly those that don’t even have password protection.
- Log Off When You’re Done: Whenever you’re done on a website, log out. If you’re online for work and have to access the same sites multiple times a day, set your browser to automatically log you out when you close it.
- Delete Cookies: Regularly clear your cookies to make sure any leftover browsing activity data is gone.
- Use a VPN: For more advanced protection, you can use a Virtual Private Network, which hides your IP address and re-routes your traffic through an encrypted passageway.
What WordPress Users Need to Know About Cookie Hijacking
Staying safe while browsing online is one thing. If you own or run a WordPress website, you have to keep your own site safe from cookie hijacking as well, not to mention protect your visitors.
If your website falls victim to cookie hijacking, attackers could take your login credentials and those of your customers. They can also steal credit card information, among other personal information. Essentially, if there’s a cookie hijack on your site, everyone and everything is at risk. In addition to MFA, prioritize the following.
Install an SSL Certification
Make sure that your web host provides an SSL certificate for your website. When data is transferred between the user’s browser and the web server, an SSL encrypts the data so it can’t be easily read.
You don’t want to visit other websites without HTTPS, and your site should follow the same standards. You need HTTPS on more than just your site’s login pages, too – it should be on your whole site.
Use Anti-Malware Solutions
Every WordPress website should have a reliable security plugin. Anti-malware solutions will keep cookie-stealing software away. We have a list of the best WordPress security plugins for your website.
Keep Your Website Updated
Every part of your website should be kept up to date, from the WordPress installation itself to any themes and plugins you have installed. Whenever you run out-of-date software, it’s vulnerable to an attack.
Cookie Hijacking Frequently Asked Questions
What can hackers do with cookies?
A lot. Think of any personal information you fill in on websites – your username and password, your credit card information, your address, etc. Once a hacker gains access to your session cookies, they can basically act as you. If you’re logged in to your bank account, for example, they can set up a transfer to drain your account and move the funds into their own, and then they can change the password so you can’t access the bank account at all.
Can you get hijacked if you accept cookies?
Sometimes. You’re most vulnerable when you’re on unsecured and public Wi-Fi, like at a coffee shop or mall. There isn’t any security on the Wi-Fi connection to stop hackers from accessing whatever they can. If you have to go online in this type of setting, at least use the private or incognito mode on your browser.
How do I clear cookies?
Most browsers have an option for deleting your history and data. You should be able to delete everything, or you can opt to only delete your cookies and site data – it’s up to you. You’re also probably able to set this up to happen automatically.
Final Thoughts About Cookie Hijacking
Protecting yourself online goes beyond having hard-to-guess passwords and deleting your browsing history when you’re done for the day. You have to protect your session cookies, too, though most people don’t even realize how vulnerable this makes them. Cookies store a ton of valuable information – all that information you’re trying so hard to protect in other ways.
If you run an organization of any size, it should definitely utilize MFA – but it’s also necessary to know that it’s not a foolproof option. You need several layers of security to stay safe against cookie hijacking, and MFA is only one of those layers. When it comes to WordPress website owners, it’s important to set up as safe a website as possible to protect yourself, your employees and your visitors.
What’s most important for preventing cookie hijacking attempts is education. Making employees, users and managers aware of the threats, including what to watch out for and what not to do, is essential.
Want to learn more? Check out What Are Cookies and How Do They Work?