Cookies are a common target for hackers because they represent a major vulnerability in web applications. Multi-factor authentication (MFA) is a traditional approach to solving this problem, but it’s becoming less effective as attackers devise ways of defeating it. Web developers are using new methods like Progressive Web Apps (PWAs) to defend against modern attacks in the current cloud and mobile-oriented computing environments.

An HTTP cookie is a small amount of data that a web browser stores on the user’s computer. Their intended purpose is to allow website to remember session data like the contents of a shopping cart or other browsing activity for that website. Cookies also contain information that users entered into forms, such as names, payment card numbers and password, which are of great interest to hackers.

Session hijacking, also known as cookie hijacking, is the process of obtaining unencrypted cookies, which can allow the hacker to gain full access to an enterprise network. It relies on HTTP’s stateless nature, meaning that isn’t inherently able to remember information between sessions. It must therefore use cookies to record this information, which can include login details. A hacker who can use the information in cookies to hijack the session while the session is still running may be able to login as an authorized user.

Multifactor Authentication

MFA is a method of electronic authentication that requires more than one factor for a user to obtain access to a computer system. These factors may be categorized in something the user has, something the user knows and something the user is. MFA has become an essential security practice for many organizations because it’s far more secure than requiring only one authentication factor, which typically consists of a userid and password. System administrators typically use MFA in conjunction with Identity and Access Management (IAM) tools, making it easier to request and verify multiple factors from users. The dramatic growth in remote work during 2020 has greatly increased the adoption of MFA, since organizations need to ensure the identity of everyone accessing their systems.

Malicious actors have too much to gain from obtaining cookies to be completely deterred by MFA, so they’ve developed methods like pass-the-cookie attacks to address it. This attack exploits the fact that the browser must create a cookie after the user has passed all the authentication checks, thereby passing the cookie from the authorized user to the attacker. This approach can allow a malicious actor to gain access without the need for MFA verification. Pass-the-cookie attacks are becoming more common as organizations place more trust in using MFA solutions as the gatekeeper for their systems. In addition to the possibility of bypassing MFA, compromised cookies often go unnoticed because the session ID shows the user is verified.

Progressive Web Apps

A PWA is an application that the web delivers to the user. It’s built with standard web technologies like CSS, HTML and Java and is intended to work with any standards-compliant browsers. PWAs offer the same functionality as a native mobile app written in a programming language specific to that device, but they effectively turn a website into a web app. Furthermore, the fact that they can be downloaded and installed onto the user’s device streamlines the procedure for deploying features and services since developer don’t need to write code for multiple devices.

However, PWAs also pose a security risk because the session doesn’t automatically end if the user simply closes the PWA without actively logging out of the browser session. Web servers usually specify the time to close the session, providing attackers with a window of opportunity to grab a cookie and use it to access services that remain connected until the session times out. While cookie data doesn’t allow attackers to access the web server after the session times out, it does allow them to deploy a back door before that happens. This technique could provide the attacker with persistent access.

 

Malware Infection flickr photo by Visual Content shared under a Creative Commons (BY) license