Hackers Are Stealing Your Cookies
June 18, 2020
Cookies can do a lot more than just track your web browsing activity. Now it appears that hackers have found a way to steal your passwords too.
A cookie is a tiny file that websites store on your computer. They are normally perfectly harmless – and quite useful too. In fact, many of the websites you use every day rely on cookies to work properly.
Cookies were designed to be a reliable mechanism for websites to remember information or to record the users browsing history. These tiny text files can be used for storing login information, credit card information and help advertisers show ads they think will be relevant to your preferences.
Cookies can be useful, saving time to type in previously visited website login information for instance. Cookies do not directly display passwords, instead they contain a hash that stores your password. When a password has been hashed, it has been scrambled so only the website it came from can read it. The website uses a unique encryption algorithm to encode and decode the hash.
Normally hackers love to steal passwords, but stealing your cookies may be just as good. By installing your cookies with hashed passwords into their web browser, the criminal can immediately access your account, no login required.
Your cookies can be used to easily compromise social media, email and many other services.
How do hackers steal cookies?
If hackers can access your computer or your network, they can probably steal your cookies. Sometimes they can steal them directly from an insecure web server too.
People are getting smarter about protecting their computers against malware, by installing a reputable anti virus solution. As a result, criminals are having to resort to more advanced techniques, like stealing information passing through public WiFi networks.
All a hacker needs to hack your cookies is a Firefox extension called Firesheep. Firesheep is an extension that uses a technology to detect and copy cookies that are sent sent over a wireless network. As the extension discovers cookies, it creates a list on the hacker’s computer. They can then simply click on the cookies, and it logs into the website as the unsuspecting user.
A simple but effective way to stop hackers from stealing your personal information is to simply clear cookies on a regular basis. Experts recommend doing this every 7 to 14 days. They also advise never storing credit card information on a site unless it is trusted. Deleting cookies does have one drawback however – you will have to re-enter passwords and personal information next time you logon to a website. This may be inconvenient and annoying, but it is also much safer in the long run, protecting you against cookie theft.
And if you have problems remembering lots of passwords, consider using a password manager, such as LastPass, to keep them safe and secure for you. Take a look at our guide How To Protect Your Password and Keep Hackers Away to learn more.
Follow Us
Be the first to know
You might also like
DevOps is a popular practice, especially among large organizations. However, while it comes with numerous benefits, it presents numerous risks as well. One notable challenge is the increased velocity of deployment, which often complicates how developers implement and ensure application security throughout the development and deployment process. DevOps is a popular practice, especially among large organizations. However, while it comes with numerous benefits, it presents numerous risks as well. One notable challenge is the increased velocity of deployment, which often complicates how developers implement and ensure application security throughout the development and deployment process. According to a recent survey, almost 80% of CIOs expressed concerns about the difficulty of discerning trusted elements from untrusted ones within DevOps environments. In particular, the pressure to deliver services at a faster pace sometimes prompts DevOps teams to take security shortcuts, resulting in potentially costly repercussions. These include data breaches, application downtime, and compliance violations. So, how can you strike a balance between the demand for agile DevOps practices and the need to maintain robust security measures?
Testing applications for security flaws during production is a vital process of the development lifecycle, and this is where Dynamic Application Security Testing (DAST) comes in. DAST is a security testing approach in application security (AppSec), in which testers assess an application in real-time, while it’s actively running. This process can be conducted even without testers knowing the application’s internal interactions or system-level designs. Applications fuel the engine of the world’s economy, but enterprises can encounter substantial hurdles when striving to retain a competitive advantage in a rapidly changing digital landscape. Businesses must continuously pursue inventive solutions, even as they contend with sophisticated adversaries looking to exploit opportunities to disrupt operations, compromise vital information, and inflict harm. According to recent research, approximately 17% of cyberattacks aim to exploit vulnerable web applications. Yet, 98% of web applications are susceptible to attacks that can lead to malware infection or redirect users to malicious websites. All the while, 72% of these vulnerabilities result from coding errors. Testing applications for security flaws during production is a vital process of the development lifecycle, and this is where Dynamic Application Security Testing (DAST) comes in. DAST is a security testing approach in application security (AppSec), in which testers assess an application in real-time, while it’s actively running. This process can be conducted even without testers knowing the application’s internal interactions or system-level designs. This is because DAST tools operate without access to the application’s source code. Instead, they emulate genuine attacks, akin to those carried out by real hackers, to identify security weaknesses. This “black box” testing method examines the application from an external perspective, scrutinises its runtime behaviour, and observes how it reacts to simulated attacks. These simulations help evaluate whether the application exhibits vulnerabilities and if it is potentially susceptible to malicious attacks.
In this blog post we look back at the origin of the term “hacking”, as well as how activities that might be described as hacking have existed throughout history, even prior to the advent of computer systems – and what if anything these can teach us today. Hacking is attacking and breaking into computer systems illegally… isn’t it? The meaning of the term “hacking” has in fact changed substantially over time, morphing from describing essentially benign (or at worst mildly disruptive) activities into its modern attribution to largely criminal and illegal activities. What’s more, in its original usage, “hacking” doesn’t necessarily even need to involve computer systems at all. In this blog post we look back at the origin of the term “hacking”, as well as how activities that might be described as hacking have existed throughout history, even prior to the advent of computer systems – and what if anything these can teach us today.