


Billions of Cookies Up For Grabs As Experts Warn Over Session Security (theregister.com) 35
Billions of stolen cookies are being sold on the dark web and Telegram, with over 1.2 billion containing session data that can grant cybercriminals access to accounts and systems without login credentials, bypassing MFA. The Register reports: More than 93.7 billion of them are currently available for criminals to buy online and of those, between 7-9 percent are active, on average, according to NordVPN's breakdown of stolen cookies by country. Adrianus Warmenhoven, cybersecurity advisor at NordVPN, said: "Cookies may seem harmless, but in the wrong hands, they're digital keys to our most private information. What was designed to enhance convenience is now a growing vulnerability exploited by cybercriminals worldwide. Most people don't realize that a stolen cookie can be just as dangerous as a password, despite being so willing to accept cookies when visiting websites, just to get rid of the prompt at the bottom of the screen. However, once these are intercepted, a cookie can give hackers direct access to all sorts of accounts containing sensitive data, without any login required."
The vast majority of stolen cookies (90.25 percent) contain ID data, used to uniquely identify users and deliver targeted ads. They can also contain data such as names, home and email addresses, locations, passwords, phone numbers, and genders, although these data points are only present in around 0.5 percent of all stolen cookies. The risk of ruinous personal data exposure as a result of cookie theft is therefore pretty slim. Aside from ID cookies, the other statistically significant type of data that these can contain are details of users' sessions. Over 1.2 billion of these are still up for grabs (roughly 6 percent of the total), and these are generally seen as more of a concern.
The vast majority of stolen cookies (90.25 percent) contain ID data, used to uniquely identify users and deliver targeted ads. They can also contain data such as names, home and email addresses, locations, passwords, phone numbers, and genders, although these data points are only present in around 0.5 percent of all stolen cookies. The risk of ruinous personal data exposure as a result of cookie theft is therefore pretty slim. Aside from ID cookies, the other statistically significant type of data that these can contain are details of users' sessions. Over 1.2 billion of these are still up for grabs (roughly 6 percent of the total), and these are generally seen as more of a concern.
Name and shame (Score:5, Informative)
I would like to see some group inspect those cookies and domains to see which ones aren't using the feature properly through encryption, timeouts, etc. Nothing wrong with cookies and sessions. Who would want to login constantly, but there's a right way and wrong way. If any financial institutions aren't managing sessions properly, we should know who they are.
Re: (Score:1)
But that spoils the fun! (Score:3)
In a different era, junkbuster was sufficient for trackers and such. It was most known for letting you keep a domain blocklist.
One of the lesser used features, though, was a provision for a "cookie jar", with the noted possibility that users could trade cookies to throw off (or just annoy!) those who tracked us.
I first put it on after loading a couple of large (for the time) pages full of animated gifs on a 486. It brought the system to its knees! (X on Linux did *not* react well to high loads in those d
Re: Billions of cookies (Score:3)
Re: Billions of cookies (Score:2)
That's why it's repulsive. We're not supposed to notice that genocide.
Re: (Score:1)
Send them to Gaza - aren't they all starving there?
Plenty of cookies and other food waiting at the border. It' not that there isn't any food. It's that Israel is blocking it so the Gazans can starve. Thank Trump for giving them cover.
Trump, and also Biden prior. The US "uniparty" strikes again.
The article should say.... (Score:1)
All due to gross incompetence (Score:2)
One of the most important characteristic of a secure access cookie is "seesion only" or at the very least "short lifetime". As in "same day". But we have too many crappy applications made by people that do not even understand the very basics of security.
Holy shit, Lone Gunmen was right again (Score:2)
https://m.youtube.com/watch?v=... [youtube.com]
They compromised our cookie!
Cookies! (Score:2)
https://www.youtube.com/watch?... [youtube.com]
Enforced Standards (Score:4)
Re: (Score:2)
Not after cookie monster has his way with your computer.
Well my main complaint would be 1. Websites fail to Update session auth cookies at every page load and fail to make sure the previous version of the cookie is Invalidated and cannot be replayed.
And 2. Websites like to "remember" sessions and fail to enforce sessions will invalidate and require re-auth after 20 minutes or so of inactivity. For example: Microsoft and Gmail do this.. you can literally leave your computer for an entire day and retu
Re: Enforced Standards (Score:1)
Re: (Score:2)
Re: (Score:2)
I agree with you. Although it is not the main way cookies are being stolen. Cookies are usually stolen after malware compromises the client.
Phishing-resistant authenticators (such as Passkeys or client TLS certs) should be considered absolutely mandatory, however, and MFA without phishing resistance is not secure authentication.
I toss my cookies when closing my browser (Score:2)
After I barf them away, nobody would want them even if they did still exist.
Nobody is willing (Score:2)
Me2 (Score:2)
Cookie banners again... (Score:1)
But I wasn't expecting correct tech info from something published by NordVPN, a service which, in their advertisement, implies that anyone can read your credit card information in plain text when you shop online without using their VPN...
Disparate use cases (Score:2)
Session login cookies are supposed to expire at logout, or a reasonably short inactivity timeout. Tracking cookies are forever. The necessary requirements have to cover both. Guess which one will win in the battle over standards and defaults in todays economy?
Secure cookies can be done. It just takes some work. Not something the mouth-breather devs over at AdSense want to deal with.
How? (Score:2)
How were these stolen? Especially in times of letsencrypt and almost ubiquitous TLS?
Re: (Score:2)
How were these stolen? Especially in times of letsencrypt and almost ubiquitous TLS?
When the server sends cookies back to the client, they generally get stored somewhere the browser chooses, in a file on the OS. If someone's computer gets some malware or virus on it then the cookie files are going to be readable and that data can be sent to whatever servers the malware is configured to communicate with, just like passwords/emails/etc.
Plenty of people get malware on their computers and mobile devices. They are likely not stealing the cookies during transmission here but at rest. They can pr
Where is the Cookie Monster? (Score:1)