What is session hijacking?

Stolen cookies are key elements of common and dangerous session hijacking attacks that can leave your most sensitive data exposed to criminals. From spending your money to collecting your passwords, session hijacking can do a lot of damage before you even know what’s happened. So how does it work?

A session is a series of interactions between your device and the web server. A session starts once you log in to a website or a web application — let’s say your bank. It continues as you check your balance or make some payments and ends the moment you log out. But how does the web server know that each request you make is actually coming from you?

This is where cookies come in. Once you log in, you send your credentials to the web server. It confirms who you are and gives you a session ID using a cookie that will be attached to you throughout the session. This is why you don’t get logged out of Facebook each time you visit someone’s profile and why Amazon remembers what you put in your shopping cart even if you refresh the page.

But if someone takes advantage of poor session management practices or steals your cookie, they can hijack your session. The criminal will then fool the web server into thinking the requests are coming from you, an authorised user. From then on they can do things like bank transfers or online purchases on your behalf without even having to steal your login info.

Session hijacking can be put into two major categories, depending on what the perpetrator wants.

Active. In an active attack, the culprit takes over your session and stops your device from communicating with the web server, kicking you off. Posing as you, the criminal can perform actions only you would be able to. Depending on what website the session is taking place on, the hacker can then make online purchases, change passwords, or recover accounts as if they were you.

Passive. In a passive attack, you don’t get kicked out of the session. Instead, the criminal quietly observes the data traffic between your device and the server, collecting your sensitive information. This way they can find out your passwords, credit card details, and other information without raising suspicions.

There are quite a few methods to perform a session hijacking attack. Most session hijacking tactics rely on web server vulnerabilities, but some exploit poor security on the user end.

Session side jacking. This method takes advantage of insecure networks to find out your session ID. The attacker utilizes sniffing software and usually targets public Wi-Fi or websites without an SSL certificate, which are known for poor security.

Session fixation. In session fixation, the attacker gets you to use a session ID they created. They can do so with phishing tactics, getting you to click on a malicious link that “fixes” your session ID to a particular website. Then, they can access it as you, hijacking your session.

Brute-force. The most time-consuming and ineffective method is brute-forcing the session ID. During this attack, the hacker doesn’t actually steal your cookie. Instead, they try every possible combination to guess your session ID and hijack your session.

Cross-site scripting. In cross-site scripting, the hacker exploits vulnerabilities in legitimate websites or applications to insert malicious code. When a user visits the website, the script activates, stealing the user’s cookie and sending it to the attacker.

Malware. Malicious software can do anything from performing unauthorized actions on your device to stealing your personal data. Malware can also be utilized to perform cookie hijacking and send the information to the attacker.

IP spoofing. In IP spoofing, the criminal changes their packet’s original IP to make it seem like it came from you. When you connect to a website, you need to perform a three-way TCP handshake. The hacker gets in the middle of it with a spoofed IP and the web server thinks it’s you from the start. From then on, they can perform TCP session hijacking.

Whether session hijacking is successful usually comes down to the security of the websites or applications you are using. However, there are steps you can take to protect yourself.

• Avoid public Wi-Fi. Free Wi-Fi hotspots are ideal for cybercriminals. They usually have poor security and can easily be mimicked by hackers who tend to use evil twin attacks for this. Not to mention they are always full of potential victims whose data traffic is exposed.
• Refrain from insecure websites. Any website not using a SSL certificate makes you vulnerable by failing to encrypt traffic between you and the website. Check if a website is secure by looking for a little lock next to the URL. If there is, it’s secure.
• Get an anti-malware app. It detects and protects your device from malicious software that could perform unauthorized actions and steal your information. We strongly recommend using our own Threat Protection feature. It helps you identify malware-ridden files, stops you from landing on malicious websites, and blocks trackers and intrusive ads on the spot.
• Download software carefully. Only download apps you know to be legitimate. A good way to avoid unintentionally downloading malware on your device is to exclusively purchase apps from their official stores.
• Don’t open unknown links. If you get a message prompting you to click on an unfamiliar link, don’t do it. It might be a phishing tactic to get you to visit an infected website that can infect your device and steal your information.