Internet users may want to keep an eye on their cookie jar, because a new discovery has linked cookies with hacked social media accounts.
Internet researcher Rishi Narang discovered a flaw in the way cookies are used by Twitter, LinkedIn, Microsoft Outlook/Live, and Yahoo. According to Australia’s SC Magazine, Narang found that cookies can be “stolen and used” in a “session fixation” attack.
A session fixation is a method of hacking that tricks a victim into using a session identifier chosen by the attacker. If successful, it represents the simplest method with which a valid session identifier can be obtained.
One student at SHSU however didn’t find the exploit a big deal.
“If I got hacked like that, I wouldn’t really care,” senior student Christopher Valva said. “It’s just a Twitter account. It’s not my entire life.”
If an attacker can intercept cookies while the user is logged in, the attacker could effectively convince the website that their browser is the original user’s browser, gaining “unfettered access” to your account. Not even a password change could keep the attacker out.
It goes without saying that this form of hacking only works if the user is logged in, because the cookie is deleted when the user logs out. LinkedIn is an exception however, because sometimes it retains a user’s cookie for three months.
Rishi Narang evaluated about how this new exploit affects session management security in his blog.
“Ever since the session management grew complex,” Narang wrote, “its correlation with security has gone for a toss.”
SC Magazine also reported that they were able to duplicate Narang’s method to test this exploit’s effectiveness.
According to their test, “[They were] able to access various Twitter accounts by inserting the respective alphanumeric ‘auth_token’ into locally stored Twitter cookies using the Cookie Manager browser extension.”
The process of intercepting cookies is tedious and troublesome, but it is hardly beyond the scope of an experienced hacker’s ability. Users of any site should take heed and log out after their session.