Do you accept cookies? Here’s why hackers love them

When you visit a website, it sends a cookie to your browser. This is a small text file containing data about you, your system, and your actions on the site. Your browser stores this information on your device and sends it back to the server every time you return. This simplifies your interaction with the website: you don’t need to log in on every page. Websites remember your display settings, online stores keep the items in your cart, streaming platforms know which episode you last watched — the benefits are countless. Cookies can store your username, password, personal details, phone number, home address, banking information, and your session ID.

The session ID is a unique code assigned to each user when they log into a website. If someone manages to intercept that code, the server will treat them as the legitimate user. A simple example: imagine you can enter your office using an electronic card with a unique code. If someone steals that card, the thief — regardless of whether they resemble you or not — can open any door you have access to. Meanwhile, the security system will believe it’s you. Sounds like a scene from a crime drama? In 2023, hackers gained access to all three YouTube channels of well-known tech blogger Linus Sebastian — “Linus Tech Tips” and two other channels of Linus Media Group with tens of millions of subscribers — and they did it exactly this way.

Cookies can be classified according to their lifespan, storage method, origin, and purpose. Session cookies are temporary and disappear as soon as you leave a website. Persistent cookies remain on your device after you leave, usually lasting about a year. First-party cookies are created by the website itself, while third-party cookies are collected by external platforms. Essential cookies support basic website functionality, while optional cookies are used for tracking user behavior and personalizing ads. Special types, such as supercookies and evercookies, store data in unconventional ways that allow them to evade deletion or regenerate themselves through JavaScript.

Cookies containing session IDs are the most tempting targets for hackers. Stealing a session ID is known as session hijacking. Session sniffing happens on websites that use HTTP instead of HTTPS, allowing attackers to intercept traffic and extract cookies. Cross-site scripting (XSS) lets attackers inject malicious scripts into a website, gaining full access to cookies. Cross-site request forgery (CSRF) tricks a certified user’s browser into performing actions without their knowledge. Predictable session IDs can be bypassed if websites generate them using weak algorithms. Other methods include session fixation, cookie tossing, and man-in-the-middle attacks.

However, there are steps everyone can take to stay safe online:

• Enter personal data only on websites using the HTTPS protocol. If you see “HTTP” in the address bar, do not accept cookies or share sensitive information like usernames, passwords, or credit card details.
• Pay attention to browser warnings. If you see an alert about an invalid or suspicious security certificate when visiting a website, close the page immediately.
• Regularly update your browser or enable automatic updates. This protects you against potential vulnerabilities.
• Clear your cookies and cache regularly. This helps prevent exploitation of cookies and session IDs that may have leaked. Most browsers offer an option to delete such data automatically when closing them.
• Do not click on suspicious links, especially those sent by strangers via messaging apps or email. If you struggle to identify phishing links, consider using Kaspersky Premium, which can warn you before you visit malicious sites.
• Enable two-factor authentication (2FA) wherever possible. Tools like Kaspersky Password Manager can help store your 2FA codes and generate unique temporary ones, syncing them across your devices. This makes it much harder for attackers to access your account after a session ends — even if they steal your session ID.
• Avoid accepting all cookies on every website. Accepting “all” is not the best strategy. Many websites now allow you to accept either all or only necessary cookies. Whenever possible, choose “only necessary cookies,” as these are the ones essential for the website’s proper functioning.
• Connect to public Wi-Fi only as a last resort. Such networks are usually poorly protected, making them easy targets for attackers. If you must connect, avoid logging into social networks, messaging apps, online banking, or other services that require authentication.