Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
Security Privacy The Internet

Billions of Cookies Up For Grabs As Experts Warn Over Session Security (theregister.com) 36

Posted by BeauHD from the PSA dept.
Billions of stolen cookies are being sold on the dark web and Telegram, with over 1.2 billion containing session data that can grant cybercriminals access to accounts and systems without login credentials, bypassing MFA. The Register reports: More than 93.7 billion of them are currently available for criminals to buy online and of those, between 7-9 percent are active, on average, according to NordVPN's breakdown of stolen cookies by country. Adrianus Warmenhoven, cybersecurity advisor at NordVPN, said: "Cookies may seem harmless, but in the wrong hands, they're digital keys to our most private information. What was designed to enhance convenience is now a growing vulnerability exploited by cybercriminals worldwide. Most people don't realize that a stolen cookie can be just as dangerous as a password, despite being so willing to accept cookies when visiting websites, just to get rid of the prompt at the bottom of the screen. However, once these are intercepted, a cookie can give hackers direct access to all sorts of accounts containing sensitive data, without any login required."

The vast majority of stolen cookies (90.25 percent) contain ID data, used to uniquely identify users and deliver targeted ads. They can also contain data such as names, home and email addresses, locations, passwords, phone numbers, and genders, although these data points are only present in around 0.5 percent of all stolen cookies. The risk of ruinous personal data exposure as a result of cookie theft is therefore pretty slim. Aside from ID cookies, the other statistically significant type of data that these can contain are details of users' sessions. Over 1.2 billion of these are still up for grabs (roughly 6 percent of the total), and these are generally seen as more of a concern.
This discussion has been archived. No new comments can be posted.

Billions of Cookies Up For Grabs As Experts Warn Over Session Security More

Billions of Cookies Up For Grabs As Experts Warn Over Session Security

Comments Filter:

  • Name and shame (Score:5, Informative)

    by Mean Variance ( 913229 ) <mean.variance@gmail.com> on Friday May 30, 2025 @09:29PM (#65417951)

    I would like to see some group inspect those cookies and domains to see which ones aren't using the feature properly through encryption, timeouts, etc. Nothing wrong with cookies and sessions. Who would want to login constantly, but there's a right way and wrong way. If any financial institutions aren't managing sessions properly, we should know who they are.

    • Doesn't seem like the ENTIRE scamable crypto front end was developed just to exploit this ...?

    • But that spoils the fun! (Score:4, Interesting)

      by hawk ( 1151 ) <hawk@eyry.org> on Saturday May 31, 2025 @01:35PM (#65419067) Journal

      In a different era, junkbuster was sufficient for trackers and such. It was most known for letting you keep a domain blocklist.

      One of the lesser used features, though, was a provision for a "cookie jar", with the noted possibility that users could trade cookies to throw off (or just annoy!) those who tracked us.

      I first put it on after loading a couple of large (for the time) pages full of animated gifs on a 486. It brought the system to its knees! (X on Linux did *not* react well to high loads in those days!)

      And cookies are the reason my uid here is so high.

      Originally, there was no login; you just pasted your name in to make a comment (I *said* that it was a different era!).

      One morning I came in, and it had an announcement that cookies would now be used, and it was no longer possible to post without them.

      As I was one of the many at the time who made a folder with the name of the cookie file, blocking their storage, I refused for quite a while. Eventually, though, I registered.

      I would like to see a modern project to catch and exchange tracking cookies. Just for the fun of it.

      hawk

  • Closed source platforms still trading users creds to develop "user expeirence" (open source too).....

  • One of the most important characteristic of a secure access cookie is "seesion only" or at the very least "short lifetime". As in "same day". But we have too many crappy applications made by people that do not even understand the very basics of security.

  • Enforced Standards (Score:4)

    by RossCWilliams ( 5513152 ) on Friday May 30, 2025 @11:05PM (#65418091)
    I think this is another example of how unregulated systems fail. As I understand it, cookies are supposed to be secure when done properly. But there is no way to enforce them being done properly. Its past time that programming standards are established and enforced. AI makes that even more important. There needs to be some way found to reliably test output.
    • How were they storm on the first place? Chicken are stored only locally afaik. So the computer would have to be already compromised, no?
      • Yes, I know that suggesting we have actual engineering standards for software that people are required by law to follow is heretical gibberish.

        • Re: (Score:2)

          by dargaud ( 518470 )
          I just re-read my post and went WTF. It's easy to blame autocorrect, but I normally read back before posting...

  • After I barf them away, nobody would want them even if they did still exist.

  • being so willing to accept cookies when visiting websites ... Have you tried "not accepting" the cookies? You have to clik literally hundreds of times no, no, no, for example on the ones saying "legitimate interest". Legitimate my bum! It is exceptionally cumbersome half of places and little cumbersome on minority of places to opt out. I have seen only a couple of times when the opt out was as easy as opt in.
  • I have 16^32 session cookies to sell.
  • Session cookies aren't what those consent banners are about. Any site that doesn't do creepy stuff against the visitor's interest is allowed to store session and preference cookies without asking.

    But I wasn't expecting correct tech info from something published by NordVPN, a service which, in their advertisement, implies that anyone can read your credit card information in plain text when you shop online without using their VPN...

  • Session login cookies are supposed to expire at logout, or a reasonably short inactivity timeout. Tracking cookies are forever. The necessary requirements have to cover both. Guess which one will win in the battle over standards and defaults in todays economy?

    Secure cookies can be done. It just takes some work. Not something the mouth-breather devs over at AdSense want to deal with.

  • How? (Score:2)

    by HnT ( 306652 )

    How were these stolen? Especially in times of letsencrypt and almost ubiquitous TLS?

    • How were these stolen? Especially in times of letsencrypt and almost ubiquitous TLS?

      When the server sends cookies back to the client, they generally get stored somewhere the browser chooses, in a file on the OS. If someone's computer gets some malware or virus on it then the cookie files are going to be readable and that data can be sent to whatever servers the malware is configured to communicate with, just like passwords/emails/etc.

      Plenty of people get malware on their computers and mobile devices. They are likely not stealing the cookies during transmission here but at rest. They can pr

  • He had to have something to do with this! LOL

Slashdot Top Deals

A university faculty is 500 egotists with a common parking problem.

Close