‘Tis the season for session hijacking - Here’s how to stop it

December 22, 2020 | Bernard Brode

This blog was written by an independent guest blogger.

The air is getting colder, leaves are falling from the trees, and people everywhere are settling in for the holiday season. Which means one thing - increased cybersecurity vulnerability.

With more aspects of the winter holidays relegated to online platforms this year, people everywhere are more susceptible to cyberattacks. Luckily, there are plenty of simple steps you can take to protect yourself from digital threats and online scams. But there is one particularly nefarious type of cyberattack that you might not be aware of. This is session hijacking.

In this article, we will take a look at what session hijacking is, how the holidays make you extra vulnerable to this type of attack, and how to prevent it from happening to you.

What is Session Hijacking?

Let’s start with the terms. A session is the period of time when a user is actively accessing an application, website, or other online service. Each user session begins when you log into a website or app and ends when you log out of it. For example, when you type your username and password into a banking application, that begins your session on that online application.

When you log into an online application, the server typically generates a temporary session cookie in your browser. This cookie tells your browser that you are logged in and have been authenticated on the server. Each temporary session cookie is marked by a unique session ID, or key. If a hacker is able to access your unique session ID, they can access your session.

Session hijacking, also called “cookie hijacking”, can follow several patterns. One method, cross-site scripting, or XSS, essentially works like this. An attacker implants a script into the web server the victim is trying to access. The victim then authenticates their presence on the tampered-with server, creating a unique session ID that includes the attacker’s script. The server returns the page code with the attacker’s script to the victim, whose own browser enacts the script, sending the victim’s unique session cookie to the attacker. The attacker is then granted access to the user’s session, meaning they can witness any interaction taking place there and steal any sensitive information revealed in the session.

Malvertising is another current “hot” technique that induces a victim to click on an ad infected with malicious code that snags the session ID, thus granting the hacker access to the victim’s unique session key. Here again, the victim is authenticated on the server and the hacker can hijack the victim’s session. All the attacker has to do is input the victim’s session ID on their own browser, tricking the server into reading the hacker’s browser connection as the victim’s already authenticated session.

Holidays under threat

The coronavirus pandemic has had many wide-ranging effects on all of us. One result of this global situation is the massive increase in cybersecurity vulnerability. Studies have shown precipitous rises in spam attempts, as opportunistic hackers seek to prey on widespread uncertainty. But the pandemic places cybersecurity at risk on another level as well.

This year, the holidays have gone digital to an extent never seen before. From shopping for gifts to celebrating with friends and family in other households via video conferences online, almost every aspect of this socially distanced holiday season relies on digital tools. And that means there is a drastic increase in the number of opportunities for hackers to intercept and steal your personal information.

As the office meeting has been replaced with video conference calls, session hijackers have managed to get in on the action, giving rise to a whole new type of attack - zoombombing. Those who don’t implement cybersecurity best practices run the risk of losing session control. Once a hacker has gained remote control of a conference call attendee’s desktop, they can kick out other call attendees, impersonate users to write unwanted messages, end meetings, and more.`

E-commerce is also rife with vulnerabilities to session hijacking. If you click on an ad that uses a malicious link to take you to an online shopping platform, your entire interaction on that site will immediately be accessible to hijackers. Even on reputable sites that require you to login and authenticate your presence, a savvy session hijacker can easily obtain your personal details, including home address, social contacts, bank details, and credit card information. This does not make for a happy holiday season.

Shore up your defenses

Luckily, there are simple steps you can take to protect yourself against session hijacking this holiday season. By taking the time to deploy these methods, you can prevent more severe damages from being incurred by a successful session hijack.

First of all, avoid logging into secure sites on public networks. Public Wi-fi networks are especially vulnerable to “session sniffing,” in which hackers intercept web traffic, seeking out and recording cookies as they appear on the network connection. Plus, with broader access to the same network, public Wi-fi servers are harder to secure.

Next, employ a quality ad-blocker on your browser and devices to prevent ads that may contain malicious software and links. Browser extension ad blockers can protect your personal web server while standalone ad blockers intercept potentially malicious software from entering any stream on your device, thereby protecting your entire system.

Then, regenerate your session ID after you login. Hackers can often use “brute force” to try to access your unique session key. This can sometimes be accomplished simply by guessing; session ID’s often contain easy to predict numerical chains, such as your IP address and the time and date of login. By changing your session ID after login, you can confuse and frustrate attempts at access.

Only accept session IDs from trusted servers. Time out inactive sessions, ensuring that you don’t stay logged in for longer than you need to. And, importantly, log out of your session when you are done.

Stay safe for the holidays

While session hijacking attacks are often subtle and difficult to detect, you can greatly decrease the likelihood of a successful attack by following the steps outlined above. Use common sense to avoid suspicious-looking websites or applications. Stick with server-generated session ID’s, and be vigilant.

Stay aware and on the alert for web activity that seems strange, or sites that don’t seem secure, and you will be able to protect yourself and stay safe throughout this digital holiday season. 

Bernard Brode

About the Author: Bernard Brode

Bernard Brode is a product researcher at Microscopic Machines and eternally curious about where the intersection of AI, cybersecurity, and nanotechnology will eventually take us.

Read more posts from Bernard Brode ›

‹ BACK TO ALL BLOGS

Get the latest security news in your inbox.

Subscribe via email

RSS

Watch a demo ›
Get price Free trial