Are you being truthful with yourself? When was the most recent occasion you actually logged off a website? If it's not part of your regular routine, it really should be. Today, let's delve into the topic of session hijacking.
So, what exactly is session hijacking? According to the reliable source, Wikipedia, it refers to the exploitation of a valid computer session or session key to gain unauthorized access to information or services in a computer system. To put it simply, it means stealing a magic cookie that verifies a user to a remote server.
Alright, let's break it down in simple terms. When you log into a website with your username and password, you're verified, and a small data file is stored with your verification information. This file, commonly known as a cookie, functions like those rubber wristbands you receive at hotels or events - it allows you to move around without repeatedly showing your ticket. So, every time you navigate through the website or add items to your shopping cart, the cookie is read and essentially says, "Yep, it's still her, she's legitimate."
Sometimes cookies are set to automatically expire after a short period of time, but often they're not. If the cookie does expire, you'll have to log in again, and that can be a hassle for some users. From the vendor's perspective, as long as you have an active cookie, they can track your activities not only on their own website but also on other websites. This is why browsers often have multiple active session cookies at any given time. But why is this a problem?
Well, session hijacking is the issue. If you have a valid session cookie stored in your browser and you become a victim of cookie-stealing malware, someone else can use those stolen cookies to impersonate you.
Remember that recent LastPass breach? How did it happen? Similar to a recent breach of CircleCI, the intruder gained access through an employee's compromised laptop, which was infected with malware. This allowed them to steal session tokens used to keep the employee logged in to certain applications, even though their access was protected with two-factor authentication.
Ah! Here's a rare instance where even two-factor authentication can't fully protect you - if you have a valid session cookie after authenticating through 2FA.
So, how can you safeguard yourself?
It's actually quite simple: Log out of websites when you're finished! Yes, that's all there is to it. When you're ready to leave, simply click on "My Account" and scroll down to find the Log Out button. (Sometimes you may need to click on "Continue Shopping" first to locate it.)
If you want to take an additional step to protect your privacy, you can also clear your browser history and delete all those cookies before visiting another website. It only takes a couple of clicks, a few seconds, and once it becomes a habit, you'll do it without even thinking.