While Multi-Factor Authentication (MFA) significantly reduces the risk of unauthorised access by requiring additional verification beyond just a password, hackers have found ways to bypass it by stealing cookies from active or recent web sessions.
How is it Possible?
Browser cookies are essential for allowing web applications to remember a user’s authentication details, so they don’t need to log in repeatedly as they navigate through a website. This convenience, however, comes at the cost of security.
Hackers can exploit this functionality to steal credentials and bypass the login challenge entirely. Behind the scenes, browsers store these cookies in SQLite database files, which hold key-value pairs that include critical information such as tokens and expiration dates.
When MFA is enabled, users must provide additional identity verification, such as approving a push notification on their mobile device. After passing MFA, a browser cookie is generated and stored for that web session. The vulnerability arises when attackers manage to extract these cookies. With the right cookies, they can authenticate as another user in a different browser session on a different system, effectively bypassing MFA.
This attack can be automated, as hackers know exactly where these SQLite database files are located for all major browsers, including Chrome and Firefox, across various operating systems. Scripts for this purpose are often found bundled with info-stealing and other types of malware. Initial access is typically gained through phishing or spear-phishing campaigns, which deploy cookie-stealing malware without the victim’s knowledge.
How Can You Protect Your System from Such Attacks?
Pass-the-Cookie attacks pose a serious threat for several reasons:
- No Administrative Rights Needed: A Pass-the-Cookie attack doesn’t require administrative access. Any user can read and decrypt their own browser cookies, regardless of their privilege level on the system.
- Minimal Information Required: Attackers don’t need to know the compromised account’s user ID or password, making this attack possible with very little information.
- Persistence: It’s possible to carry out Pass-the-Cookie attacks even after the browser has been closed.
Steps You Can Take
There are several measures you can implement to reduce your risk:
- Avoid using built-in browser features to save passwords unless they are encrypted with a master password.
- Disable the “remember passwords” or “remember me” feature and avoid allowing persistent sessions.
- Configure your browser to delete all cookies automatically when it’s closed.
- Implement authentication monitoring and threat detection tools.
- Use a hardened web browser.
- Consider using an offline password manager.
- Be cautious about the links you click.
While MFA is a crucial security measure, it is not foolproof. Believing that MFA makes you invulnerable to hacking is a dangerous misconception.
One of the most effective ways to bolster your IT security is to partner with a trusted cybersecurity expert who can manage your IT infrastructure and help identify potential threats. Partnering with Britannia IT can ensure your IT defences are robust, allowing you to focus on what truly matters in your work. If you’re interested in learning more about how Britannia IT can help you achieve peace of mind with your IT security, contact us today!
