How Can You Mitigate the “Pass the Cookie” Attacks?

In January of this year, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert following a spate of attacks, advising users to strengthen their cloud environment configuration. It is believed that these attacks are occurring due to the large volume of remote and work-from-home employees. Once the mix of both corporate and personal devices are being used to access data, there is increased vulnerability to an attack. Today we are discussing this fairly new technique called "Pass the Cookie" to bypass multi-factor authentication (MFA).

What is a Cookie? 

We’ve all seen the windows that pop up at the bottom of our screen asking us to agree to cookies to continue using or to optimally use a website. Well cookies, sometimes called transient or session cookies are small files (called cookie.txt) that contain information about a user that disappears when the user's browser is closed. Cookies are most commonly used to track website activity. When you visit some online sites, the server gives you a “cookie” that acts as your identification card. Upon each return visit to that site, your browser passes that cookie back to the server. Cookies can help a web server gather pertinent information about which web pages are used the most, and which pages are gathering the most repeat hits. In the case of online shopping, cookies can record any personal information you enter, as well as any items in your electronic shopping cart, so that you don't need to re-enter this information each time you visit the site.  This can be both a major convenience and a little creepy, thinking that “big brother” is always aware of where you have been and what you have been browsing through. Despite this dual convenience and creepiness, when you return to a site you have visited before, the server uses the information gathered prior in the cookie to create a customized page for you. For privacy reasons, users may wish to view the cookies currently stored in the browser or control which sites to accept cookies from. In addition, some users may also decide how long they may be stored and used. Most modern browsers offer the ability to control cookie settings. For better or worse, we have all become accustomed to these cookies as an integral part of online life. Unfortunately, so have the cyber criminals who are always looking for the next new way to spot vulnerabilities in our online behaviors. Pass the cookie is one such vulnerability. 

man working at computer

What is Pass the Cookie Attack? 

Now that we all are reminded about what cookies are and why they are used, it is important to look at the vulnerability of a Pass the Cookie attack that could take advantage of this function.  According to TripWire online, “cyber criminals are able to use stolen ‘session’ cookies (or Pass the Cookie) in order to authenticate themselves to web services, thus bypassing security measures like multifactor authentication because the session has been authenticated already.” The convenience of cookies is that they recognize a user and make it so they do not need to continually re-authenticate their identity for quite some time since the cookie is valid for a time period after the initial use.  If these cookies should be discovered by someone with malicious intent however, they could be imported into a non-authorized browser, allowing the cyber criminal to continue to access a site or app for as long as the cookie is activated. Cookie forging attacks of this kind provide plenty of time to move laterally through a site, gaining access to sensitive data and emails or enabling the criminal to perform actions as the victim’s account. While cookie-style attacks are not exactly new, they are still relatively unknown or understood by the cyber security community. Stealthbits security expert, Jeff Warren explains that he was able to get around the MFA with a “pass the cookie attack.”  He went on to explain that, If you put MFA on top of your web applications the user logging in will be prompted to provide additional proof that they are who they say they are, such as accepting a push notification on their mobile device. Once they have passed all of those tests, they are allowed into the app. At that point, a browser cookie is created and stored for that user’s session.” The Cybersecurity and Infrastructure Security Agency (CISA) has put up red flags that the cookie acts as an authentication token. The two key facts to remember are: “The authentication cookie is generated AFTER any multi-factor authentication has taken place. The cookie is accepted by the server as proof of authentication without the need to know or provide a username or password.” (Source: SecureTeam)


How Can Users Reduce the Risk of these Attacks? 

Mitigating the risks of these attacks is the goal of security experts in organizations both big and small. As in the case of any cyber crime, there are no foolproof methods to stop all vulnerabilities, but there are some protocols that can mitigate the risks and keep your data safe from cyber criminals.  When it comes to pass-the-cookie attacks, there are several ways to increase your data security. Deterring cyber criminals may take more than just some roadblocks in their way, but every chance your organization has to outwit them is a step in the right direction. 

Make Use of Client Certificates

One of the more secure options for reducing a “Pass the Cookie'' attack is by making use of client certificates stored in the profile on the system. This technique gives the users a persistent token that can be stored securely on his/her system and that will be used in every connection to the server. This can be achieved using a client certificate stored in the user’s profile on the operating system. Unfortunately this technique may need to limit access to a set number of users which make this method difficult if you have many partners that need access or if you have a B2B system. 

Reduce the Window Of Opportunity for Attack

By using dynamic tokens, which can change every few minutes or even seconds, the window of opportunity for the attack has been dramatically shortened. For instance, Security Boulevard online states that, “If the attacker is not fast enough to leverage the token, his stolen token will be invalid by the time he uses it. However, it does not completely mitigate the attack, only reduces the window of opportunity.”

Require Identifying Criteria 

To strengthen security, many experts are suggesting using more context besides the token to identify the origin of the request. For instance this could be a user’s IP address. Unfortunately, the use of proxies by cyber criminals could shield their identity, especially if the criminal is within the same public space such as a library, coffee shop, or airport. This could cause a reading as the same location and thus the same user. 

Use Browser Fingerprinting 

In order to add unique identifying context to the request to ensure the person is who he claims to be, many experts suggest using client-side fingerprinting such as a browser version, installed browser extensions, or font names.  In addition to these four main strategies, each with its own strengths and weaknesses, the US Cybersecurity and Infrastructure Security Agency (CISA) has created a lengthy list of ways that you can safeguard your data and sensitive information from this type of attack. To read more or find further resources check out this link for CISA here “Pass the Cookie” attacks are on the rise, and thankfully many organizations are becoming more aware of the possible vulnerability that they face using these features. Follow our recommendations and those of the CISA to continue your organizations best practices for digital health and security protocols.