Session hijacking is a technique used by bad actors to take over your internet session, so that they can take the same actions that you can take. Those actions could be accessing your bank account or accessing your employer’s network and deploying ransomware.
For YouTuber Linus Sebastian, session hijacking resulted in his channel, the eponymously-named Linus Tech Tips, being used to run a crypto scam. You can watch his explanation of the attack here.
There are steps that the owners of websites can take to mitigate the risk of their uses being stung but, in this blog post, we’ll look at from the end user perspective. We’ll take a deep dive into how session hijacking works and what you can do to protect yourself from this type of cyberattack.
What is a session?
Before we get into session hijacking, let’s take a moment to talk about what a session actually is.
Quick explanation: it’s the period of time for which a website permits you to remain logged in after you’ve entered your username and password.
Longer explanation: Your computer uses HTTP to communicate with websites. HTTP is a stateless protocol and, consequently, every HTTP request a website receives is viewed independently. To put it another way HTTP exchanges do not tell a website what went on before. This means that if you were to try navigate to a different page on a website that you’d already logged into, HTTP wouldn’t tell the website that you’d already logged, and you’d need to do so again. And again every time you wanted to navigate to a new page. This would obviously make for an absolutely terrible user experience.
Sessions resolve the issue. A session refers to the interactions between a user and a website within a given timeframe, typically starting from the moment of authentication until the user logs out or the session expires due to inactivity. In other words, when you log in to a website, a session is created on the host server, which acts as a reference for the initial authentication. As long as the session is active, you can freely move about the website without needing to re-authenticate. The session is only ended when you log out or after a predefined period of inactivity. Once the session has ended, you’ll need to log in again to access your account.
What is a session ID?
Every session that is created is assigned a unique identifier known as a session ID or session token. This session ID is then used to identify and associate subsequent requests you make within your ongoing session.
The session ID is usually stored in a cookie or included in the URL as a query parameter. It allows the server to recognize you and maintain the session state, regardless of the requests you make or the pages you visit on that website. During a session, the server may store relevant user data or session-specific information, including your preferences, the contents of your shopping cart, your temporary authentication credentials, and more. This data is often stored on the server’s side and associated with the user’s session ID.
While session IDs clearly serve a very useful function, they are prone to exploitation if not properly secured. If a threat actor is able to intercept a session ID, they may be able to impersonate the user and access any information and perform any action the user could.
How does session hijacking work?
Attackers can employ various methods to intercept session IDs and gain unauthorized access to user sessions. Once the attacker has gained control over the session, they can conduct all sorts of malicious activity, including extracting sensitive information, carrying out unauthorized transactions, modifying account settings or even escalating their privileges within the system.
Here are some common techniques used in session hijacking:
- Session sniffing, sometimes referred to as session side-jacking, is a type of active session hijacking technique that targets the insecure transmission of session IDs. While just about every website these days encrypts login pages to keep passwords secure, some websites do not encrypt the other pages of the website. In this scenario, attackers can use packet sniffing tools to monitor your network traffic and capture session cookies after the point of authentication. Even though your password may not have been compromised, attackers are still able to impersonate you on the targeted service throughout the unencrypted pages.
- Session prediction: Some websites follow predictable patterns for generating session IDs. In a session prediction attack, threat actors capture valid session IDs and analyze them in order to get a better understanding of the session ID generation algorithm. The more predictable the pattern, the easier it is to exploit. Once the algorithm has been cracked, threat actors may be able to predict and generate a valid session ID and use it to target specific users.
- Session fixation attacks eliminate the need to intercept a session ID. Instead, threat actors generate or steal a valid session ID from the target website before you’ve entered your login credentials and trick you into using the session ID (e.g., by sending you a malicious link via email). Once you’ve logged into the website and authenticated the compromised session ID, the attacker can also access the session.
- Malware is perhaps the most common method used to steal browser information, including session IDs. As Linus Sebastian mentioned in the video we linked to above, the process can be very quick, with the information being stolen within seconds of the malware being installed.
How to prevent session hijacking
The following tips will help you avoid becoming the victim of a session hijacking attack.
- Log out: If you log out of a website, the session ID will be invalidated and cannot be maliciously used. It’s as simple as that.
- Exercise caution with links: Whether they arrive by email, SMS, or embedded in social media posts, links may not be what they appear to be. Instead of pointing you to the site you expected, they may instead point you to a phishing site designed to trick you into entering your password or installing malware. While many phishing messages are easy to spot, some are extremely convincing. Be super-cautious, and if you have even the slightest doubt as to the validity of a message, do not click. Instead use your Favorites or type the address into your browser.
- Keep your device and apps updated: Do not delay installing security updates. The quicker you install them, the smaller the window during which your device will be vulnerable because of whatever bugs that the updates fix.
- Use one of our products: Okay, so this isn’t strictly necessary. While we’d love it if you did use our products – and if you already are, thanks, you’ve made an excellent choice! – using any reputable and reliable antivirus/antimalware solution will help you fend off attacks. Put simply, if malware cannot get onto your computer, it cannot steal your session IDs.
A note regarding multi-factor authentication (MFA). While session hijacking may bypass MFA, it’s nonetheless critically important and should be enabled wherever it can be enabled. Turning it on will significantly reduce the likelihood of your accounts being compromised.
Emsisoft Enterprise Security + EDRRobust and proven endpoint security solution for organizations of all sizes. Start free trial
Session hijacking occurs when an attacker gains control of a legitimate user’s session ID and exploits it to impersonate the user and perform unauthorized actions. There are a few different ways of carrying out a session hijacking attack, including session sniffing, cross-site scripting, session prediction and session fixation. By following the mitigation tips described above, you can help keep your sessions secure and reduce the risk of falling victim to session hijacking.