“Sneak Attack”
By Scott Hamilton
I believe I have talked about a technology known as internet cookies in the past, but it has definitely been a while, so before I get into the topic for this week I need to refresh your memory on cookies. We all like cookies; my favorite is a good, moist chocolate chip, but unfortunately internet cookies are not things we eat. Internet cookies are things that the sites we visit leave behind on our computer to track what we last did on their site. A few examples from my own computer right now will help to explain. At this very moment I have 77 cookies from google.com, 33 from microsoft.com, 14 from hulu.com and a bunch of others.
I can tell you from experience that the 77 from Google are storing my search history, and session cookies so Google can give me more relevant results when I search for something and let me access my gmail account without typing my password every time I open the browser. The ones from Microsoft are keeping track of my most recently opened documents on SharePoint, search history in my Office 365 email account and probably my search history on Microsoft Bing. The ones from Hulu are storing the history of the shows I have watched, even partial episodes so I can resume where I left off while binge watching my favorite shows.
As you can see, internet cookies make things very convenient for me as the end user of a website and its services. The thing about cookies is that there was an old claim that because the cookies are stored on your computer and only accessed when you visit the associated site, that the site owner does not have access to the content of the cookies, but this is a lie. Any website you visit not only has access to their own cookies, but through agreements with service providers, they can access pretty much any cookie on your computer. For example if you visit my website https://www.techshepherd.org, my site can see your Google search history by reading your Google cookies and recommend articles on my site for your reading pleasure.
Most of the data stored in cookies is harmless information about your browsing habits, but some cookies contain much more critical information. These are called session cookies and are used by websites like gmail.com and your banking website to keep your account active on the site instead of making you log in again every time you access a new page of information. These session cookies contain a temporary key to allow your computer access to secure sections of a website for a limited period of time. Up until recently this was considered a safe practice since the lifetime of the session cookies is only a few minutes, up to 15 minutes in most cases and as little as five minutes on banking sites. However, a group of hackers have found a way to revive expired session cookies.
A hacker going by the name of PRISMA revealed to Google that they found a way to bring expired session cookies back to life. These particular cookies are heavily utilized by Google’s popular Chrome browser to sync your information between multiple devices. Google transfers and stores these session cookies in your online account as well as directly on your device, allowing all the devices logged in to your Google account on Chrome to maintain the same browser history, links and session information. It definitely makes using Chrome across multiple devices convenient, but at a cost. Hackers have found a way to steal your expired session cookies from Google, probably through the same mechanism used to view your search history on a website. They gain access to your session cookies from Google; even an expired one works. They then use a little known backdoor in Google’s authentication system to login to your Google account with your expired session cookie. You can think of it like someone guessing the combination to your locker; once they have the combination, you have to change the lock, only this is a bit worse, as these expired cookies can even work after your password has been changed.
So how do you protect yourself from such a sneaky attack? The first thing to do is to log out of your Google Chrome account and disable the sync capability. This revokes all the session cookies, including the expired ones. Revoking a session cookie puts it on a list on the server that says to no longer accept the cookie; it is the equivalent of changing your lock. The second recommendation is to enable “Enhanced Safe Browsing” in Chrome. The third is to change your password regularly, which has always been good advice. Something that has not been openly shared about this exploit is that it affects all Google Chrome based browsers, which includes the Microsoft Edge browser and the main user interface of all Chromebooks. For now you are still safe with the FireFox web browser, but it is just a matter of time before someone discovers a similar attack against FireFox session cookies, so it is best to choose never to sync data with a browser, no matter how convenient it seems. For more detailed information on this exploit you can read at https://t.ly/5oUrb.
Until next week, stay safe and learn something new.
Scott Hamilton is an Expert in Emerging Technologies at ATOS and can be reached with questions and comments via email to sh*******@te**********.org or through his website at https://www.techshepherd.org.
