How Stored Browser Data Presents Risk – And How to Secure It (Pt. 2) 

by Talon Research
April 14th, 2022

Our previous post in this series discussed the browser as a gateway to the internet and all the data types stored within it. In this second part, we’ll focus on cookies and the potential risk they present if stolen. 

We described three types of browser cookies. Cookies are text strings that websites may save to a user’s local disk. They enable saving online behavior and relevant user data for future use by the website. 

Terminology 

  • Session cookies – may be used to track online activities for a short period. With them, users can be kept logged into websites. Session cookies are set with no expiration date and deleted once the browser is closed. 
  • Persistent cookies – these cookies may be used to save user preferences (e.g., language, internal bookmarks), such that they’re recalled the next time a user re-visits a site. They are set with an expiration date and remain intact even after the browser has been closed. For example, they can remember authentication tokens such that users don’t need to re-enter credentials every time they visit a corresponding site. They provide a more convenient and faster online experience. 
  • Third-party cookies – are created by ancillary websites not directly visited by a user. Examples include chatbot services, social plug-ins, and ads. Or if you’ve added a YouTube video embedded in a blog post, YouTube adds a cookie to viewers’ browsers. 
  • Secure cookies – transmitted only over HTTPS connections. Secure cookies are often used by eCommerce sites and financial institutions to provide secure online transactions. 

Stealing cookies 

Browser session hijacking is a form of online identity theft that can occur when a hacker steals a victim’s session ID (stored as a cookie) and poses as that user. Even if the credentials are encrypted and the site is secure, it’s still possible for an attacker to identify as a victim if they manage to get a hold of the session cookie. 
How can session hijacking be executed 

  • Session Fixation – hackers trick a user into clicking a malicious link having a preset session ID.  
  • MiTM Attacks – the current session cookie can be stolen via an insecure network connection. It’s fairly standard for such cookie stealing to occur on public Wi-Fi networks, such as those found at airports or your local internet café. This is because insecure networks may enable attackers to intercept network traffic and capture sensitive information passing through using techniques such as DNS poisoning, ARP spoofing, etc.  
  • Malware AttacksMITRE ATT&CK mentions various adversaries that can inject software into a user’s browser that enables them to inherit cookies, HTTP sessions, etc. For example, TrickBot used web injects and browser redirection to trick users into providing their login credentials on a fake or modified web page. 
  • Cross-site scripting (XSS) attacks – using XSS, an attacker can exploit a vulnerable web application to plant malicious JavaScript code that steals cookies from other victims using the application. 
  • Malicious extension – Another technique involves installing a malicious extension on a victim’s browser. For example, Gigamon’s Applied Threat Research (ATR) team detected a suspicious spike in outbound network traffic from a customer workstation, prompting an investigation. It uncovered four vulnerable extensions that had impacted over half a million users, including workstations within significant global organizations. In that case, the Change HTTP Request Header extension didn’t contain malicious code in itself, but the ATR team identified two items that, when combined, enable it to inject and execute arbitrary JavaScript code which could lead to stealing cookies and other sensitive data. 

From stolen cookies to breach 

Stolen session cookies could result in the takeover of a user’s account, as we reported early last month. Thus, an organization with which the user is affiliated becomes at risk. 

In one recent incident, hackers purchased stolen cookies online. Containing user login details, one cookie enabled the group to access a Slack channel used by game publisher Electronic Arts. One thing led to another, ultimately resulting in the miscreants making off a claimed 780 GB of product source code. 

Summary 

The browser must adequately protect enterprise data, as well as cookies stored within it. To meet this critical requirement, Talon bridges the gap in two ways: 

  • Secure browser-based workspace – Providing browser infrastructure hardening and proprietary protection techniques, TalonWork protects against info stealers, man-in-the-browser (MitB) attacks, and malware installed on a given device. Those are known to interact with browsers to steal access tokens, cookies, credentials, or credit card information. 
  • Protection from malicious extensions – TalonWork identifies and prevents the installation of malicious and suspicious extensions. They’re capable of stealing data, tokens, cookies, or credentials. Or they can surreptitiously perform actions on behalf of users in or outside your enterprise applications. 

Be the first to know.