Hackers Steal Session Cookies to Bypass Multi-Factor Authentication

Hackers Steal Session Cookies to Bypass Multi-Factor Authentication(esecurityplanet.com)

3 points by responsible 3 years ago | 5 comments

neetcode22 3 years ago |

I found this blog on session management really useful: https://supertokens.com/blog/all-you-need-to-know-about-user...

There is a solution to this....

Cookies should always be used in conjunction with a TLS Session ID.

If the session ID doesn't match, then throw away the cookies.

Session ID is designed to be hard to steal - in some clients, it actually uses keys from the TPM to derive the session ID - so even if someone steals the browser cookie jar, there is no way they can recreate the session ID.

Sadly today very few sites check the session ID

josephcsible 3 years ago |

If you're using an ATM and just put in your card and entered your PIN, and then someone walks up with a knife, makes you leave, and withdraws $1000 from your bank account, was that a bypass of the ATM's 2FA?

responsible 3 years ago | |

This article talks about infostealers which don’t resort to violence or five dollar wrench attacks. Instead they sneak onto systems via various means and surreptitiously exfiltrate all they can. Some even bypass AV by being polymorphic and installing root kits which can’t be so easily removed by AV.

josephcsible 3 years ago | | |

It doesn't have to be violence though. Consider if you logged in to your email with 2FA, then walked away from your computer without locking it, and then someone else walked up and copied all of your messages. Is that bypassing 2FA?