How Your Online Accounts Are Hacked

Methods to Hack an Online Account

There are many ways how an attacker gain access to our online accounts, depending on the implementation of an application, some methods work better than others:

  • Session Hijacking
    • Also known as cookie stealing, where an attacker steal your cookie to gain access to your account.
  • Phishing
    • This method sometimes combine with session hijacking to steal your cookies. It can be a forged Facebook site that ask you to login in order to get your password
  • Password Reset
    • The intention of this feature is to recover a password that is lost, but some attackers will try to use it to gain access to your account by answering few questions, that's why it is important to set up a difficult questions and answers for recovery.
  • Keyloggers
    • Unless your computer is rigged or compromised, this method is less common. A keylogger is a software or hardware that will record all your keystrokes (all the keys you typed on the keyboard).

For the sake of this article, I will only talk about the most common method (Session Hijacking) and the mistakes that many users made that got their cookies revealed.

Session Hijacking

How Sessions Worked

Once you are logged in to an online service such as Facebook or Gmail, the server will create a unique session ID that identify your account, and sends it back to your browser. Once your browser got it, it will store the session ID in the cookies.

Every time a request is sent, your browser will send the cookies back to the server. So, when someone is able to get your cookies, they can login to your account without knowing your password.

Simulating Session Hijack

I will be using Chrome as the primary demonstration here with your logged in Facebook account. It should be applicable to other browsers too:

  1. Once you logged in to your Facebook account, open Chrome Developer Tools in Menu > More Tools > Developer Tools
  2. From the tabs on the top, select Resources
  3. On the left bar, click on Cookies dropdown and select www.facebook.com
  4. Now, open a new incognito window (Menu > New Incognito Window) and go to facebook.com, it shouldn't be logged in
  5. On the incognito window, open Developer Tools same as step 1, and select Console tab on the top
  6. Click on the Console > prompt and enter document.cookie="c_user=<copy value from your logged in Facebook c_user cookie>"
  7. Then, enter document.cookie="xs=<copy value from your logged in Facebook xs cookie>"
  8. Refresh the page and Voila! You are mysteriously logged in to your Facebook account!

Here, I used Incognito tab to simulate the attack, you can however copy the cookie values of xs and c_user to another computer, and continue from step 6.

How Your Cookies are Stolen?

TCP/IP aren't designed to be secured, nobody predicted that it would grow to what it is today. It was initially designed for communication between few different computers, but the original design was improved overtime to include every single computers in the world. There are 2 ways to get your browser cookies:

  1. Remotely - where an attacker try to get your browser to send the cookies to an attacker website such as using a forged login page.
  2. Locally - where an attacker try to redirect all traffic to the attacker's computer (A.K.A Man-In-The-Middle attack) and a software will parse the traffic to scan for popular sites session IDs.

Remote attacks for cookie stealing are not very common, reason being that if you can forge a website, why not ask the victim for their passwords instead of stealing their cookies. It is however commonly used in spear phishing attacks, where the attacker got a designated victims and they wanted to simulate certain environments without looking suspicious.

Public WiFi is Evil

The sad truth about WiFi is that it function very similar to a hub. Yeah, it's encrypted and yes it's not easy to get WiFi encryption keys especially WPA encryption method with military grade encryption algorithms. Breaking a military grade encryption take years with brute-force, but who said anything about breaking any keys? Anyone who knows a particular "WiFi Password" literally has the key to decrypt any client's traffic within that network (WEP or WPA personal only, not for WPA enterprise). In other words, all the attacker need to do is to get connected to a particular public WiFi network, and start sniffing/capturing all traffic, AP's hub behavior makes this easy, as the router will broadcast a packet to all clients and each client will check whether the packet is destined for them and discard it if it's not.

To reduce suspicion, the attacker can choose to save the traffic into a file first, then harvest all cookie IDs from that file. Once they got the Session IDs, they gain access to the victim's account without the victim's knowledge, provided that the victim haven't logged out of their account.

SSL (HTTPS) is Not Foolproof

SSL offer traffic encryption to its users, through PKI, where a traffic is encrypted with the private key can only be decrypted with public key or vice versa, 2 keys are required to complete a cycle. Once the browser got your certificate where it contains all the essential information to communicate with the server in a secure manner, it will check with the issuer whether that certificate is really what it says it is. If something is fishy about the certificate, the browser will warn its user that the certificate is invalid. Most users will ignore the warning, because they have no idea what it is. That is how they expose their supposedly secured traffic.

How SSL Failed

When someone wanted to steal traffic from a secured site, all they need is the private key to decrypt the client's traffic, but it is only available in the server. So how they can get the private key without gaining access to the server?

One way is to create a self-signed certificate, in other words, they make themselves a CA, but since they aren't a CA recognized by the browser, the browser will still warn its user of an invalid CA. Once they created the certificate, they own a private key now.

The problem now is how to replace the original certificate with this self-signed certificate, so the attacker can decrypt their traffic? By replacing the router's ARP cache for all clients with the attacker's MAC address. So now the attacker is everyone, all traffic from the router will go to the attacker's computer.

Once the attacker got the traffic, a tool will check the traffic whether is for a targeted website, if it is, it will replace the certificate with a self-signed version and send it back to the intended client. If it isn't, it send the traffic back to its original client. That is how users' session IDs are exposed if they ignore the certificate warnings.

How to Protect Yourself from Session Hijacking and Cookie Stealing

  1. Avoid public WiFi or at least avoid using public WiFi to login to your online accounts, such as Facebook
  2. Always logout of your account, your session ID is only renewed when you re-login again, especially after login to any online services
  3. DO NOT ignore browser warnings
  4. Use a detection tool to detect if there are anything fishy in the network before using it, Blacksheep is a good tool to detect session hijacks
  5. Use a VPN or TOR or anything that will encrypt your traffic before using any public WiFi