Billions of Cookies Up For Grabs As Experts Warn Over Session Security

Billions of stolen cookies are being sold on the dark web and Telegram, with over 1.2 billion containing session data that can grant cybercriminals access to accounts and systems without login credentials, bypassing MFA. The Register reports: More than 93.7 billion of them are currently available for criminals to buy online and of those, between 7-9 percent are active, on average, according to NordVPN's breakdown of stolen cookies by country. Adrianus Warmenhoven, cybersecurity advisor at NordVPN, said: "Cookies may seem harmless, but in the wrong hands, they're digital keys to our most private information. What was designed to enhance convenience is now a growing vulnerability exploited by cybercriminals worldwide. Most people don't realize that a stolen cookie can be just as dangerous as a password, despite being so willing to accept cookies when visiting websites, just to get rid of the prompt at the bottom of the screen. However, once these are intercepted, a cookie can give hackers direct access to all sorts of accounts containing sensitive data, without any login required."

The vast majority of stolen cookies (90.25 percent) contain ID data, used to uniquely identify users and deliver targeted ads. They can also contain data such as names, home and email addresses, locations, passwords, phone numbers, and genders, although these data points are only present in around 0.5 percent of all stolen cookies. The risk of ruinous personal data exposure as a result of cookie theft is therefore pretty slim. Aside from ID cookies, the other statistically significant type of data that these can contain are details of users' sessions. Over 1.2 billion of these are still up for grabs (roughly 6 percent of the total), and these are generally seen as more of a concern.

Name and shame

[Mean Variance]

I would like to see some group inspect those cookies and domains to see which ones aren't using the feature properly through encryption, timeouts, etc. Nothing wrong with cookies and sessions. Who would want to login constantly, but there's a right way and wrong way. If any financial institutions aren't managing sessions properly, we should know who they are.

Re:

[unfriendlyLLM]

Doesn't seem like the ENTIRE scamable crypto front end was developed just to exploit this ...?

But that spoils the fun!

[hawk]

In a different era, junkbuster was sufficient for trackers and such. It was most known for letting you keep a domain blocklist.

One of the lesser used features, though, was a provision for a "cookie jar", with the noted possibility that users could trade cookies to throw off (or just annoy!) those who tracked us.

I first put it on after loading a couple of large (for the time) pages full of animated gifs on a 486. It brought the system to its knees! (X on Linux did *not* react well to high loads in those d

Re: Billions of cookies

[LindleyF]

The purchaser appears to live on "Sesame St." Weird.

Re: Billions of cookies

[PPH]

That's why it's repulsive. We're not supposed to notice that genocide.

Re:

[Anonymous Coward]

Send them to Gaza - aren't they all starving there?

Plenty of cookies and other food waiting at the border. It' not that there isn't any food. It's that Israel is blocking it so the Gazans can starve. Thank Trump for giving them cover.

Trump, and also Biden prior. The US "uniparty" strikes again.

The article should say....

[unfriendlyLLM]

Closed source platforms still trading users creds to develop "user expeirence" (open source too).....

All due to gross incompetence

[gweihir]

One of the most important characteristic of a secure access cookie is "seesion only" or at the very least "short lifetime". As in "same day". But we have too many crappy applications made by people that do not even understand the very basics of security.

Holy shit, Lone Gunmen was right again

[DrMrLordX]

https://m.youtube.com/watch?v=... [youtube.com]

They compromised our cookie!

Cookies!

[RitchCraft]

https://www.youtube.com/watch?... [youtube.com]

Enforced Standards

[RossCWilliams]

I think this is another example of how unregulated systems fail. As I understand it, cookies are supposed to be secure when done properly. But there is no way to enforce them being done properly. Its past time that programming standards are established and enforced. AI makes that even more important. There needs to be some way found to reliably test output.

Re:

[mysidia]

Not after cookie monster has his way with your computer.

Well my main complaint would be 1. Websites fail to Update session auth cookies at every page load and fail to make sure the previous version of the cookie is Invalidated and cannot be replayed.

And 2. Websites like to "remember" sessions and fail to enforce sessions will invalidate and require re-auth after 20 minutes or so of inactivity. For example: Microsoft and Gmail do this.. you can literally leave your computer for an entire day and retu

Re: Enforced Standards

[dargaud]

How were they storm on the first place? Chicken are stored only locally afaik. So the computer would have to be already compromised, no?

Re:

[RossCWilliams]

Yes, I know that suggesting we have actual engineering standards for software that people are required by law to follow is heretical gibberish.

Re:

[mysidia]

I agree with you. Although it is not the main way cookies are being stolen. Cookies are usually stolen after malware compromises the client.

Phishing-resistant authenticators (such as Passkeys or client TLS certs) should be considered absolutely mandatory, however, and MFA without phishing resistance is not secure authentication.

I toss my cookies when closing my browser

[davidwr]

After I barf them away, nobody would want them even if they did still exist.

Nobody is willing

[Uldis Segliņš]

being so willing to accept cookies when visiting websites ... Have you tried "not accepting" the cookies? You have to clik literally hundreds of times no, no, no, for example on the ones saying "legitimate interest". Legitimate my bum! It is exceptionally cumbersome half of places and little cumbersome on minority of places to opt out. I have seen only a couple of times when the opt out was as easy as opt in.

Me2

[hcs_$reboot]

I have 16^32 session cookies to sell.

Cookie banners again...

[Anamon]

Session cookies aren't what those consent banners are about. Any site that doesn't do creepy stuff against the visitor's interest is allowed to store session and preference cookies without asking.

But I wasn't expecting correct tech info from something published by NordVPN, a service which, in their advertisement, implies that anyone can read your credit card information in plain text when you shop online without using their VPN...

Disparate use cases

[PPH]

Session login cookies are supposed to expire at logout, or a reasonably short inactivity timeout. Tracking cookies are forever. The necessary requirements have to cover both. Guess which one will win in the battle over standards and defaults in todays economy?

Secure cookies can be done. It just takes some work. Not something the mouth-breather devs over at AdSense want to deal with.

How?

[HnT]

How were these stolen? Especially in times of letsencrypt and almost ubiquitous TLS?

Re:

[notsouseful]

How were these stolen? Especially in times of letsencrypt and almost ubiquitous TLS?

When the server sends cookies back to the client, they generally get stored somewhere the browser chooses, in a file on the OS. If someone's computer gets some malware or virus on it then the cookie files are going to be readable and that data can be sent to whatever servers the malware is configured to communicate with, just like passwords/emails/etc.

Plenty of people get malware on their computers and mobile devices. They are likely not stealing the cookies during transmission here but at rest. They can pr

Where is the Cookie Monster?

[p51d007]

He had to have something to do with this! LOL