As a lover of cookies, I’d certainly notice if someone stole a chocolate chip cookie from me. Keeping a close eye on browser cookies is not nearly as tasty and certainly overlooked. I will show you how your cookies work and a few things you can do to keep yourself protected.
MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. One of the 15 Credential Access attack techniques they specifically call out is Stealing Web Session Cookies.
Cookies are simply small pieces of data your web browser uses to for a better web surfing experience. Cookies are stored in memory and the hard drive of your computer. They provide a website with a method to remember what you’ve done in the past. It is literally just a small text file that is encrypted with DPAPI. You’ll find it on your Windows computer by navigating to:
We’re going to review web session cookies that are used for authentication with a Facebook example.
The beautiful thing about a web session cookie is you can click the keep me logged in button. When you leave Facebook’s website and come back, there is no need to be inconvenienced with entering your username and password.
At face value, cookies seem awesome, and they are, but like anything, there is a risk associated with ease of access. Someone could steal your session cookies and log in from another browser, not knowing your actual password for as long as that session cookie is valid.
First off, let’s take a quick look at where your cookies are stored. If you go to Facebook.com in Chrome, you can hit Ctrl + Shift + I, and this will open the Developer tools. Click on Application along the top, and you’ll find Cookies listed under Storage on the left side, where you’ll click on https://www.facebook.com.
You are now looking at your cookies, and Facebook uses these values to know how to deliver a richer surfing experience.
Since we’re talking security, let’s focus on 2 cookies listed as c_user and xs. Your User ID is the value under c_user, and xs is the session secret. The combo of these 2 cookies lets Facebook’s website know if you are logged in or not. If you clicked the remember me check box when you logged in, the session secret cookie would stay the same for the next 90 days.
Knowing this info, we can copy and paste the c_user and xs info, as I’ve done on the Notepad. Moving to another browser, you see we are not currently logged in. We open the developer tools, and you see there is not a c_user or xs cookie listed. Since we saved our User ID (the c_user) and our Session Secret (the xs) when we did the copy-paste, we’ll simply add the Name and Value in. We can close the developer tools, hit browser refresh, and we’ve now logged in without using a username or password. Pretty cool and kind of creepy.
Since we are talking security, let’s review a few mitigation techniques to help keep you safe. MITRE|ATT&CK has three recommendations:
- Software Configuration
- User Training
Use multi-factor authentication on target domains can make it so session cookies can’t be reused. You’ll need to set this up on Facebook under Security and Logins, but it is easy to do and stops all sorts of attacks on your account. I get that MFA is a pain but getting robbed is a bigger pain.
Configured your browser or apps to refresh or delete persistent cookies. There are quite a few cookie settings, and no one setting is necessarily the right way. However, look through them to find a balance of what gives you a level of usability and security that feels like the right level of risk for you. Doing something will always be better than doing nothing.
Be diligent to phishing attacks; it is always the easiest way for hackers to get you. The most straightforward user training advice I can give is to look at a URL before clicking it. If something seems off with the domain, don’t click on it because it is probably bad.
I hope this gives a little better understanding of cookies and why they are such a security concern.
Author: Brian Krause
Brian leads CyberArk’s Strategic Partners Team. He spends his time working with IT leaders and technology partners to build identity practices to serve the complex needs of a rapidly transforming business environment. To learn more about Brian, check him out on LinkedIn or his YouTube Channel Security Craftsman.