If you stay up to date with cyber security news, you might have heard of Google’s Threat Analysis Group discovering a financially motivated phishing campaign targeting YouTubers.
Researchers found that attackers lured creators with fake collaboration opportunities (such as anti-virus software demos or VPN offers). Once the target agreed, they sent malware disguised as software download URLs which allowed the attackers to hijack YouTube channels, either selling them or using them for cryptocurrency scams.
However, this attack is not limited to YouTube itself. It exploits the underlying technology used by nearly all websites, which means that almost all websites on the internet can be hacked using this same technique. However, most websites use additional security measures, such as whitelisting IP addresses or requiring MFA before performing sensitive actions, to mitigate this.
In this article, we’ll explore cookie hijacking attacks, how they work, and their implications, and specifically address the risks faced by WordPress websites.
What Is Cookie Hijacking?
Cookie hijacking, also known as session hijacking, is a method used by attackers to gain unauthorized access to your personal account on a particular website. For example, whenever you press the “remember me” button while logging in to your website, the website stores that login information in your browser’s cookies.
Unlike traditional password theft, where attackers need to crack your credentials, cookie hijacking targets the session cookies stored in your browser. These cookies contain essential information that allows the attacker to stay logged in to websites even if you change the password of the account.
How Does Cookie Hijacking Work?
Let’s try to break down the session hijacking attack in simple steps:
Step 1: Getting Access to Your Browser
To perform a cookie hijacking attack, the malicious attackers need to get access to your browser. This can be done in many different ways, such as downloading an attachment or connecting to an unknown wifi network, amongst many other methods.
When you do any of these things, there is a possibility that attackers will take over your computer and execute malicious code that will steal the cookies from your computer.
Step 2: Transferring Your Cookies
If the attacker manages to execute malicious code in your computer, assuming that you are using an antivirus, there is a possibility that you might not be able to identify it, as everything seems to continue to work normally. During this stage, attackers often wait a couple of days (or even weeks) to gather as much information as possible and transfer it to the hacker’s server before launching their attacks.
Step 3: Unauthorized Access
Once the attackers have stolen enough data, they usually aim to launch their attacks at a time when the victim is likely to be away from their computer for an extended period. For example, if Friday is a national holiday, the attackers will launch their attack after working hours on Thursday.
When the attacks are launched after working hours, it takes longer for the victim to realize that they are being attacked – this gives attackers a better chance of going unnoticed for longer and gives them an opportunity to cover their tracks.
Different Methods Used by Cybercriminals to Steal Cookies from Browsers
Let’s take a look at some of the popular ways attackers can compromise devices.
Phishing Attacks
The simplest way, and probably the easiest way to get access to a victim’s computer is by impersonating a trusted site, and tricking the user into giving the hacker all of the information willingly. Even if the attacker doesn’t ask you to fill a login form directly, they can still trick you into doing a number of things that can lead to your account becoming compromised.
In 2023, we saw a number of high-profile YouTube channels get hacked using the same hacking technique. In the recent Linus Media Group YouTube channel hack, this strategy worked perfectly. An employee downloaded what seemed to be a normal sponsorship PDF, but the document actually contained malware that stole critical browser session tokens.
Session tokens are like digital keys that keep users logged into websites automatically. By stealing these tokens, hackers can bypass passwords and two-factor authentication, gaining instant access to accounts. In the Linus Tech Tips case, this allowed the attacker to livestream scam videos, change channel names, and delete content – all without ever guessing a password or solving a security challenge.
The most dangerous part of this attack is how simple it is. Hackers exploit human trust and our natural tendency to quickly open seemingly important documents. This method doesn’t require advanced technical skills, just a good understanding of human behavior and a convincing fake document.
Malware Exploiting Vulnerabilities
If you are running outdated software with known vulnerabilities, then attackers can target your computer to exploit these vulnerabilities. By compromising the system, attackers can install malware that can gain access to cookies and other sensitive data.
Man-in-the-Middle (MITM) Attacks
In MITM attacks, an attacker intercepts the communication between the user’s browser and the server, which gives them an opportunity to capture cookies during transmission. If you connect to an unknown wireless network, then the owner of the network can potentially intercept your data and launch this kind of attack.
Due to their open nature, public WiFi networks in coffee shops, airports, and other shared spaces are considered a significant security risk. Attackers can easily intercept unencrypted network traffic and access sensitive information like login credentials and personal data.
The easiest way to defend against such network attacks is to use HTTPS connections, which encrypt browser transactions through SSL or TLS protocols. In our previous post, we explained how to install an SSL certificate on WordPress websites. Using HTTPS connections encrypts the specific information relevant to browser-based interactions. However, if you are communicating using an insecure protocol such as HTTP or transferring data over FTP, then it is recommended that you use a VPN to encrypt all your private data.
Cross-Site Scripting (XSS)
In this kind of attack, attackers inject malicious code (usually JavaScript) into their websites. When victims visit these compromised sites, the code executes in their browsers, allowing the attacker to steal their cookies.
Since this is one of the oldest attack methods, most websites have implemented the necessary security settings to block such attacks, but not every site is equally protected. While big tech platforms often have strong security, many smaller or older websites are still vulnerable to attacks that could let hackers trick users into performing unwanted actions without their knowledge.
To stay safe, you should keep your browsers updated and be careful about clicking unknown links. If you are a web developer, you can consider adding extra security layers to your website by using unique tokens that verify each request’s authenticity and checking where web requests actually come from. Read our post titled “Understanding CSRF Attacks & Locking Down CSRF Vulnerabilities” to learn how to protect your website from this kind of attack.
Risks for WordPress Users
Just like with any other website, WordPress websites also use cookies to store session information, which means that WordPress websites are not immune to cookie hijacking.
For example, in the WordPress Core vulnerability from June 2016, attackers could potentially hijack sessions of higher-privileged users, granting unauthorized access to website administrative controls.
More recently, the LiteSpeed Cache Plugin vulnerability was affected by an even more critical security breach which impacted over 5 million websites. By exploiting a weak security hash in the plugin’s user simulation feature, unauthenticated visitors could gain administrator-level access. This is especially concerning because:
- If an attacker gains access to your WordPress admin session, they can access sensitive user data and potentially steal confidential information.
- E-commerce sites built on WordPress store customer data, including personally identifiable information such as each customer’s address and order history, which could be compromised via a cookie hijacking attack.
- An attacker with control over your session can alter your website content, inject malicious code, or deface your pages – all of which could degrade your SEO rankings and erode customers’ trust in your brand.
Although the attacks mentioned above weren’t exactly cookie-stealing attacks, the end result was the same: session hijacking. In these cases, attackers could bypass standard authentication mechanisms by exploiting weak security controls, gaining unauthorized access to user sessions, and potentially compromising entire websites.
Preventing Cookie Hijacking in WordPress
Even if you don’t manage a WordPress website, there is a strong possibility that you have an account on a website that was built using WordPress. But even if you don’t have a WordPress account, you should still stick to the following security practices, as most of them apply to any website:
Use HTTPS Connections
If you are a website owner, you can configure your server settings to force all users to connect via HTTPS only. This encrypts all data between users and your server, which prevents attackers from intercepting session cookies during transmission. Read our post titled How To Redirect WordPress from HTTP to HTTPS to learn how to do this.
Use Two-Factor Authentication (2FA)
These days, password managers make it exceedingly easy to fill-in and manage all the login credentials. Consider using a secure password manager, and implement multi-factor authentication on your website to add a second layer of security. We have written an in-depth post that explains how to configure multi-factor authentication on WordPress sites, which you can refer to for more information.
Keep Everything Updated
Although it might sound very simple, it is entirely true – you can protect against so many known vulnerabilities and cyber attacks by simply updating your software to a secure version. However, keeping track of all current vulnerabilities can be an arduous task, which is why we built Patchstack – a single tool to manage and virtually patch security vulnerabilities in all things WordPress.
Avoid Nulled Plugins and Themes
Although we have already said it many times, it’s worth repeating – running untrusted software is a very effective way of introducing malware to your computer. If you obtain pirated or cracked plugins or themes from an untrustworthy source, then you can count on them to be infected with malware. This is why we have been strong advocates of not using nulled plugins and themes on your WordPress website.
Beware of Untrusted Links and Attachments
Even if you have an antivirus installed that scans all files for malware, creative attackers can often find a way to circumvent these security measures. The simplest (and probably the most effective) way to keep your computer secure is by not opening anything untrustworthy on your computer.
If you need to, you can try out sandbox environments such as SquareX that creates a virtual computer on demand that you can use for opening untrustworthy links.
Final Thoughts
In this post, we have discussed how cookie hijacking poses a significant risk to WordPress users. It can compromise user accounts, sensitive data, and even entire websites. By understanding how these attacks work and implementing security best practices, you can safeguard your website and protect your users’ data.
As we mentioned earlier, one very simple way to protect your website is by patching vulnerable software.
Patchstack protects from vulnerabilities, provides real-time alerts, and is trusted by WordPress experts. Don’t leave your website’s security to chance – sign up for Patchstack today!
