sommai - Fotolia

How are forged cookies used in attacks on online user accounts?

Yahoo claimed a vulnerability in its email service enabled attackers to use forged cookies to gain access to user accounts. Expert Michael Cobb explains what forged cookies are and how they are used in attacks

Yahoo notified users that the cookie vulnerability in its email service from 2014 may have been used to gain access...

to users' accounts as recently as 2016. Yahoo referred to this attack as using forged cookies. How are forged cookies created and used in attacks?

Cookies are used by nearly every website in order to deliver dynamic content and to improve the user experience.

When a user visits a site, it sends a tiny piece of data -- a cookie -- that is stored on the user's computer by their browser. The browser sends the cookie back to the server with every request the browser makes to that server, such as when the user clicks a link to view a different page or adds an item to a shopping basket.

The data stored in the cookie lets the server know with whom it is interacting so it can send the correct information back to the user. For example, instead of seeing a generic welcome page, a user might see a page that welcomes them by name and shows when they last visited the site. Cookies are often used by web servers to track whether a user is logged in or not, and to which account they are logged in.

Cookie-based authentication is stateful for the duration of multiple requests and has been the default method for handling user authentication for a long time. It binds the user authentication credentials to the user's requests and applies the appropriate access controls enforced by the web application.

A typical example of its use begins with a user entering their login credentials, which the server verifies are correct. The server then creates a session that is stored in a database, and a cookie containing the session ID is returned to the user's browser. On every subsequent request, the browser returns the cookie data, and the session ID is verified by the server against the database; if it is valid, the request is processed. When the user logs out of the site, the session is usually destroyed on both the client and server side, but if the user has checked the Keep me logged in or Remember me option, the cookie will persist on the user's computer.

Cookie attacks

Cross-site scripting (XSS) injection attacks are a common method used to steal session cookies. If attackers can find a page on a site that is vulnerable to XSS injection, they can insert a script into the page that sends them the session cookie of everyone that views the page. The cookie then enables the attackers to impersonate its rightful owner, enabling them to stay logged in to the victim's account for as long as they want, without ever having to enter a password.

Alternative cookie attacks include predicting, brute force hacking or replicating the contents of a valid authentication cookie. Any such forged cookies would enable the attacker to impersonate a site's genuine users.

Reverse engineering how the values in a session cookie are calculated is not easy, as they are created using cryptographic algorithms to ensure that they are unique and unpredictable. It's not impossible though.

In 2008, the WordPress 2.5 Cookie Integrity Protection Vulnerability (CVE-2008-1930) was discovered. The flaw enabled an attacker to calculate the hash-based message authentication code value stored in the authentication cookie generated by the wp_generate_auth_cookie() function.

Yahoo warned its users that forged cookies may have been used to gain access to user accounts without needing to log in as recently as 2016. [Editor's note: the U.S. Department of Justice later identified and indicted four hackers for allegedly minting authentic cookies within Yahoo's network, which experts believe is different than copying valid authentication cookies.]

Because of the difficulty in consistently crafting valid forged cookies, Yahoo believes the attacker is most likely a state actor using proprietary code stolen from within Yahoo's internal systems to learn how to forge its cookies. Yahoo mentioned this cookie-based attack in a Form 10-Q Securities and Exchange Commission filing in October 2016. Yahoo has invalidated the forged cookies so they cannot be used again.

This particular attack required stealing proprietary code, and it shows the lengths to which cybercriminals can and will go in order to hack into users' online accounts. This makes changing passwords to sites on a regular basis even more important, as this measure will invalidate any forged cookies.

Next Steps

Find out how Slack user authentication tokens were exposed

Learn when session cookies should be protected with salted hashes

Read how the Ticketbleed bug impacts session ID security

This was last published in July 2017

Dig Deeper on Data security and privacy