What is Sidejacking / Session hijacking

This article is to increase awareness only!  

Sidejacking –  “Session hijacking, sometimes also known as cookie hijacking is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim’s computer.” To be short, the attacker can use  your cookies to impersonate your account and can do anything that user can, when logged-in to the website.

Its  common, that Websites secure your account by encrypting the login method. however, it’s uncommon for Websites to encrypt or secure the information once you are logged in. This makes the cookie and therefore the user vulnerable. When logged in to open wireless network in  i.e. coffee shop, cookies are exposed, making the attacks very easy.

How the Sidejacking attack is done? It is carried in two steps

1. Intercept packets (session cookies)

There are lots of tools and addons that may Sniff packets containing “session cookies“. Addons such as Firesheep or software : Wireshark, Hamster or APR  check the packets traveling between the target IP and  the HOST. These tools can capture commands like POST or GET requests utilized by browsers to send and receive information from the HOST (This interception works on most of the social networks and email clients).  

2. Utilizing session cookie.

Once you’ve got the cookie data, next step is to use it to gain access to the account. By using the Sniffed Cookie and some tools you can login to your victims account even if you don’t know the password. (Mostly attackers use addons or software to access and edit cookies. i.e.  for Firefox Browser, you’ll use Cookie Manager+ or Edit Cookies. For Chrome: Edit This Cookie or Cookie Manager).

Above mentioned method might seem  complicated or difficult, but Mr. Eric Butler, a software engineer introduced an extension for Firefox called “Fireseep”, this extension was created to demonstrate security risks for users and websites, that only encrypt the login process and not the cookies created during the online session. This extension uses the packet sniffer to capture and decrypt cookies from certain websites while they are transferred over the network.

When on unsecured Wi-Fi or LAN, Fireship can capture available cookies and decrypt / display the vital information.  As shown in the image below, found user accounts are displayed in sidebar and access to their accounts can be gained with one click.   

How to secure the account from Sidejacking attack ?  

1. Most of the websites support HTTPS (Hypertext Transfer Protocol Secure) browsing (Difference between HTTP and HTTPS – URLs begins with “https://” and use port 443 by default, whereas HTTP URLs begin with “http://” and use port 80 by default.

HTTP is not encrypted and is vulnerable to man-in-the-middle and eavesdropping attacks, which can let attackers gain access to website accounts and sensitive information, and modify webpages to inject malware or advertisements. HTTPS is designed to withstand such attacks and is considered secure against them (with the exception of older, deprecated versions of SSL)).

i.e. Facebook: Account Settings > Account Security > check “Secure Browsing (https)” > Save.

i.e. Twitter: Settings > Account > check “Https Only” > save.

2. When using Public WiFi, Avoid accessing the Websites that doesn’t Support HTTPS://. Also, Don’t use sites that revert to HTTP after login.
3. Always Log off from the account or websites rather than closing the tab or window. If you log out, the attackers session becomes invalid.
4. Use Two-factor (two-step) authentication, which works as an extra step in the process, a second security layer, that will reconfirm your identity. Also, with this step you authorize your computer and browser only to access the account. Any other attempts to gain access to your account with different browser / computer will require reentering the second security code.

This article is written for educational purpose only, I believe that there should be stern privacy rules, which could safeguard the user on the internet.