Site icon Emsisoft | Cybersecurity Blog

What is session hijacking and how do you prevent it?

Session hijacking

Session hijacking

Session hijacking is a technique used by bad actors to take over your internet session, so that they can take the same actions that you can take. Those actions could be accessing your bank account or accessing your employer’s network and deploying ransomware.

For YouTuber Linus Sebastian, session hijacking resulted in his channel, the eponymously-named Linus Tech Tips, being used to run a crypto scam. You can watch his explanation of the attack here.

There are steps that the owners of websites can take to mitigate the risk of their uses being stung but, in this blog post, we’ll look at from the end user perspective. We’ll take a deep dive into how session hijacking works and what you can do to protect yourself from this type of cyberattack.

What is a session?

Before we get into session hijacking, let’s take a moment to talk about what a session actually is.

Quick explanation: it’s the period of time for which a website permits you to remain logged in after you’ve entered your username and password.

Longer explanation: Your computer uses HTTP to communicate with websites.  HTTP is a stateless protocol and, consequently, every HTTP request a website receives is viewed independently. To put it another way HTTP exchanges do not tell a website what went on before. This means that if you were to try navigate to a different page on a website that you’d already logged into, HTTP wouldn’t tell the website that you’d already logged, and you’d need to do so again. And again every time you wanted to navigate to a new page. This would obviously make for an absolutely terrible user experience.

Sessions resolve the issue. A session refers to the interactions between a user and a website within a given timeframe, typically starting from the moment of authentication until the user logs out or the session expires due to inactivity. In other words, when you log in to a website, a session is created on the host server, which acts as a reference for the initial authentication. As long as the session is active, you can freely move about the website without needing to re-authenticate. The session is only ended when you log out or after a predefined period of inactivity. Once the session has ended, you’ll need to log in again to access your account.

What is a session ID?

Every session that is created is assigned a unique identifier known as a session ID or session token. This session ID is then used to identify and associate subsequent requests you make within your ongoing session.

The session ID is usually stored in a cookie or included in the URL as a query parameter. It allows the server to recognize you and maintain the session state, regardless of the requests you make or the pages you visit on that website. During a session, the server may store relevant user data or session-specific information, including your preferences, the contents of your shopping cart, your temporary authentication credentials, and more. This data is often stored on the server’s side and associated with the user’s session ID.

While session IDs clearly serve a very useful function, they are prone to exploitation if not properly secured. If a threat actor is able to intercept a session ID, they may be able to impersonate the user and access any information and perform any action the user could.

How does session hijacking work?

Attackers can employ various methods to intercept session IDs and gain unauthorized access to user sessions. Once the attacker has gained control over the session, they can conduct all sorts of malicious activity, including extracting sensitive information, carrying out unauthorized transactions, modifying account settings or even escalating their privileges within the system.

Here are some common techniques used in session hijacking:

How to prevent session hijacking

The following tips will help you avoid becoming the victim of a session hijacking attack.

A note regarding multi-factor authentication (MFA). While session hijacking may bypass MFA, it’s nonetheless critically important and should be enabled wherever it can be enabled. Turning it on will significantly reduce the likelihood of your accounts being compromised.

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial

Conclusion

Session hijacking occurs when an attacker gains control of a legitimate user’s session ID and exploits it to impersonate the user and perform unauthorized actions. There are a few different ways of carrying out a session hijacking attack, including session sniffing, cross-site scripting, session prediction and session fixation. By following the mitigation tips described above, you can help keep your sessions secure and reduce the risk of falling victim to session hijacking.

Exit mobile version