Billions of cookies up for grabs as experts warn over session security A VPN vendor says billions of stolen cookies currently on sale either on dark web or Telegram-based marketplaces remain active and exploitable. More than 93.7 billion of them are currently available for criminals to buy online and of those, between 7-9 percent are active, on average, according to NordVPN's breakdown of stolen …
But if it's already been accessed simply deleting your copy of the cookie might only make things worse. Better to go to the site and log out. Particularly if said site is a data-slurping tech giant that encourages and facilitates you staying logged in on multiple devices.
Although it would be frowned on buy some, companies utilising session cookies should be doing some IP based due diligence here. MS MFA does exactly that (although it alerts first, rather than block).
If a new session pops up suddenly, from a new IP and/or device (and typically a new geography) - ask it to re-auth and drop the session trust. Granted, mobile users will be handed out IPs all the time, but typically those are within a carriers range and can be 'foreseen' - and combined with device and/or passkey verification - job done.
Simply going "Ahah, that's Bob's session, suddenly in Nigeria, that's ok" is "not ok".
I find the entire notion of "necessary" cookies puzzling. I get that they can facilitate conveniences, but I can also remember a time when they hadn't even been invented yet. Web sites worked fine without them. Even today I set my browser to reject third party cookies entirely and discard first party ones on session closure. This inconveniences me not at all.
Don't get me started on "legitimate interest".
-A.
I've done a server which required users to log in (because all the pages were user-specific, so the server needed to know who the user was) without cookies.
Since HTTP is stateless, the client has to send something in the request to identify themselves. No cookies in this case, so the server generated an encrypted session token that was just passed backwards and forwards between the client and the server. I guess this is what you mean by "JavaScript".
Both mechanisms are equally secure, because the site is HTTPS-only. The token has the advantage of ensuring zero persistence; it's gone if the browser tab is closed. If you actually want persistence, so that the user can connect on the next day without a sign in, you'd have to store the token on client storage. IOW, it's magically become a persistent cookie.
> "Most people don't realize that a stolen cookie can be just as dangerous as a password, despite being so willing to accept cookies when visiting websites, just to get rid of the prompt at the bottom of the screen."
Not sure why this quote is in the article. The button to accept cookies isn't related to any technical restraint, it's just there for regulatory purposes. Malicious websites can do whatever they want with cookies without the user clicking "Allow All". Of course, none of that is related to cookie stealing anyways, which is typically where external malware running on your device grabs cookies either from memory or (more often) from disk, bypassing the same-origin security rules that browsers impose on websites.
Though it’s based in Trumpistan and not Communist UK any more so is subject to snooping or a raid by the Fed’s or ICE Gestapo and thumbing nose to the law..
I see “you know Who’s” current wheeze is if the Data is on a server in the USA … fuck your Foreign laws on free speech.
You can't expect a user to re-authenticate, MFA or otherwise, every time they visit a different page. Since HTTP is stateless, the user must instead send some form of identification to the server with every HTTP request. One way to do that is to send a cookie. IOW, the whole point is to bypass MFA, or simple password entry, or whatever.
"You can't expect a user to re-authenticate..."
I mean...you can expect that, and even require it, it's just less convenient for the user. Much like locking their doors when they leave home, or taking their car key/fob/hammer/small child with them when they're out shopping/dining/drinking themselves blind.
Some militaries have a pretty good handle on this. Most don't because somehow convenience overcomes security every time.
Maybe Soylent Green really is made of people.
You'd have to renter your login details on every single click. No single "login page", every page has a login.
It's not merely inconvenient. Imagine if every door and cupboard in your home locked behind you and needed a key. Key to get into the loo, key to get back out, key to get into the kitchen, key to turn on the oven, key to turn it off...
It'd be almost impossible to use, and horrifically insecure as users would be absolutely certain to accidentally reenter their details into a 3rd party page.
"Basic" authentication like that is fine for scripting, useless for humans.
There is no secure method that isn't going to require some extra effort from the user. So that's the choice; accept the risks or live with extra effort. However there are a lot of sites that use cookies and id purely for data collection, aren't there Google? I don't see why Google & friends would lose ad revenue if id was banned except where it is truly required if it applied to all competitors for that revenue. I don't like the obsession with digital id as most of it is contrary to the user's benefit. Central ID that our governments want for control purposes will be a disaster because they will store very sensitive data and they will get it stolen.
For the security experts; do we actually need cookies everywhere. Clearly we need to id sometimes but how often and what are the options? Most websites look as if they could operate perfectly well with anonymous id, in fact I often create an id because I don't want my true details floating around with every Tom, Dick and Harry just to view their website. Having once or twice bought things with Bitcoin I note that it is possible to even pay anonymously although they need an address to ship to! As for the banks KYC that is a farce and only intrudes on citizens and hinders the small, uninformed criminal, so it clearly isn't for the reasons stated. Personally, I am happy to take the chance of banks not knowing the customer and I especially want the biggest criminals (the state) to not know their customers because I trust them as much as the mafia to act in my best interest.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
