Security News > 2022 > August > Cookie theft threat: When Multi-Factor authentication is not enough
Once authenticated, a session cookie maintains the session state and the user's browsing session stays authenticated.
Figure A. Each cookie stored in the browser's database contains a list of parameters and values, including in some cases a unique token provided by the web service once authentication is validated.
The threat, as exposed in a recent publication from Sophos, is pretty straightforward: "Cookies associated with authentication to web services can be used by attackers in 'pass the cookie' attacks, attempting to masquerade as the legitimate user to whom the cookie was originally issued and gain access to web services without a login challenge".
Several credential stealing malware now also provides cookie theft functionalities, and we should expect this functionality to pop in almost every of these kinds of malware in the future, as MFA is more and more deployed and used.
One might think that session cookies would not last long enough to be sold, but it is not the case, depending on the configuration of the client and the server, session cookies might last for days, weeks or even months.
Many web-based applications implement additional checks against cookie session hijacking.