Contact Us
  • Session hijacking
    attacks: understanding
    and preventing them

  • Author: Sue Poremba

Every time you visit a website, the time between logging on and exiting is known as a "session." Most users initiate dozens of sessions every day without a problem. But not every session is safe, as cyber criminals find reasons—and ways—to take them over.

Even though so-called session hijacking attacks have been happening for years, as more people work remotely and depend on websites and applications for their job duties, there is new awareness around the threat. One familiar version of this type of attack is the takeover of video conferences. For example, in March 2020 the FBI reported that during an online Massachusetts high school class, an unidentified individual dialed into the virtual classroom and "yelled a profanity and then shouted the teacher's home address." While video conference attacks like these are getting all the attention now, they're just the tip of the iceberg.

The goal of session hijacking attacks

Session takeovers happen when a hacker compromises an active session by stealing, or hijacking, the HTTP cookies necessary to maintain a session, explains the EC-Council. It is also possible to take over a session by predicting when an active session will happen by a particular user whose access credentials the hijacker already has. This allows the attacker to go deeper into the user's network.

The goal for the intruder is to have full access to the session, giving them the same permissions as the actual authorized user. At the same time, while in the session, the hacker can modify information in the server that will make it easy to return.

Session takeovers happen in several different ways. These include:

  • Man-in-the-middle/man-in-the-browser attacks: Intercepting the communication between two connections or systems.
  • Session sniffing: Finding non-encrypted communications to find the session ID.
  • Cross-site script attack: Using malicious code to steal the session ID.

Beyond intruding on video conferences, hackers use session takeovers to assume control of online banking, make purchases on e-commerce sites and steal sensitive data like intellectual property or personally identifiable information.  Session takeovers also set up ransomware-style attacks by allowing the intruder to encrypt sensitive files and demand payment to unencrypt them. Once inside the session, the hacker can really do whatever they want, putting everything on your company's servers and devices at risk. As found in the 2021 Verizon Data Breach Investigations Report, ransomware ranked third in types of breaches that companies and consumers alike faced in 2020, doubling in frequency over the previous year.  In March 2020, a session hijacking effort against Slack was thwarted by a bug bounty hunter who discovered a vulnerability in the way HTTP processes requests, which could have exposed private data from hundreds of corporations.

How to prevent session takeovers

Session takeovers aren't harmless. They can result in data breaches and financial losses for organizations and individual users. Preventing session takeovers is possible with a few strategic security moves, including:

  • Encrypting all data transmitted on a web page.
  • Using HTTPS certification on websites.
  • Properly logging out of sessions when they are finished and closing websites open if not actively used.
  • Using cyber security tools to protect websites from potential threats.
  • Keeping your browsers updated and patched.

While session hijacking has been around for a long time, it's taken on new urgency with the increase in remote work in 2020. Protecting your website from intruders and making visits to your site more secure for clients and consumers should be a top priority.

Learn how Verizon's DNS Safeguard can help protect your company from session hijacking and other threats.