Readers like you help support MUO. When you make a purchase using links on our site, we may earn an affiliate commission. Read More.

Multi-factor authentication adds extra layers of security to cloud services, but it's not always foolproof. People are now carrying out pass-the-cookie attacks to get around MFA and gain access to your cloud services. Once they are in, they can steal, exfiltrate, or encrypt your sensitive data.

But what exactly is a pass-the-cookie attack, how does it work, and what can you do to protect yourself from it? Let's find out.

Using a session cookie to bypass authentication is called a pass-the-cookie attack.

When a user tries to log in to a web application, the application will ask the user to enter their username and password. If the user has enabled multi-factor authentication, they will need to submit an additional authentication factor like a code sent to their email address or phone number.

Once the user has passed multi-factor authentication, a session cookie is created and stored in the user's web browser. This session cookie allows the user to stay signed in instead of going through the authentication process again and again whenever they navigate to a new page of the web application.

Session cookies simplify the user experience as the user doesn't have to re-authenticate every time they move onto the next page of the web application. But session cookies also pose a severe security threat.

If someone is able to steal session cookies and inject those cookies into their browsers, web applications will trust session cookies and grant the thief complete access.

In case an attacker happens to gain access to your Microsoft Azure, Amazon Web Services, or Google Cloud account, they can cause irreparable damage.

A Man wearing a Hoodie is Sitting in Infront of Big Screens

Here is how someone carries out a pass-the-cookie attack.

The first step in carrying out a pass-the-cookie attack is to extract a user's session cookie. There are various methods hackers employ to steal session cookies, including cross-site scripting, phishing, Man-in-the-middle (MITM) attacks, or trojan attacks.

Malicious actors sell stolen session cookies on the dark web these days. This means cybercriminals don't have to make efforts to extract users' session cookies. By purchasing stolen cookies, cybercriminals can easily plan a pass-the-cookie attack for gaining access to a victim's confidential data and sensitive information.

Once the infiltrator has the user's session cookie, they will inject the stolen cookie into their web browser to start a new session. The web application will think that a legitimate user is starting a session and grant access.

Each web browser handles session cookies differently. Session cookies stored in Mozilla Firefox are not visible to Google Chrome. And when a user log off, the session cookie gets expired automatically.

If a user closes the browser without logging off, session cookies might be deleted depending on your browser settings. A web browser may not delete session cookies if the user has set the browser to continue where they left off. This means logging off is a more reliable means of clearing session cookies than shutting down the browser without logging off from the web application.

Red colored padlock placed on a black keyboard

Here are a few ways to prevent pass-the-cookie attacks.

Implement Client Certificates

If you want to protect your users from pass-the-cookie attacks, giving them a persistent token can be a good idea. And this token will be attached to every server connection request.

You can make this happen by using client certificates stored on the system to establish if they are who they claim to be. When a client makes a server connection request using their certificate, your web application will use the certificate to identify the certificate's source and determine whether the client should be allowed access.

Though this is a secure method to combat pass-the-cookie attacks, it is only suitable for web applications having a limited number of users. Web applications with an enormous number of users find it quite challenging to implement client certificates.

For example, an ecommerce website has users across the world. Just imagine how difficult it would be to implement client certificates for every shopper.

Add More Contexts to Connection Requests

Adding more contexts to server connection requests to verify the request can be another way to prevent pass-the-cookie attacks.

For example, some companies require a user's IP address before granting access to their web applications.

A downside of this method is an attacker may be present in the same public space, such as an airport, library, coffee shop, or organization. In such a case, both the cybercriminal and the legitimate user will be granted access.

Use Browser Fingerprinting

While you may typically want to defend against browser fingerprinting, it can actually help you fight pass-the-cookie attacks. Browser fingerprinting allows you to add more context to connection requests. Information such as browser version, operating system, user's device model, preferred language settings, and browser extensions can be used to identify the context of any request to ensure the user is exactly who they claim to be.

Cookies have acquired a bad name since they are often used to track users, but them are options to disable them. By contrast, when you implement browser fingerprinting as an element of identity context to any connection request, you remove the option of choice, meaning users cannot disable or block browser fingerprinting.

Use a Threat Detection Tool

Using a threat detection tool is an excellent way to detect accounts that are being used maliciously.

A good cybersecurity tool will proactively scan your network and alert you about any unusual activity before it can do any significant damage.

Pass-the-cookie attacks are a severe security threat. Attackers don't have to know your username, password, or any other additional authentication factor to access data. They just have to steal your session cookies, and they can enter your cloud environment and steal, encrypt, or exfiltrate sensitive data.

What's worse, in some cases, a hacker can carry out a pass-the-cookie attack even when a user has closed their browser. So it becomes crucial that you take the necessary security measures to prevent pass-the-cookie attacks. Also, educate your users about MFA fatigue attacks in which hackers send users a barrage of push notifications to wear them down.