This is how your account can be hacked even with two-factor authentication and strong passwords

 This is how your account can be hacked even with two-factor authentication and strong passwords


It is recommended to use a strong password and enable two-factor authentication (2FA) to keep your online accounts secure. Although these are important steps, they should never be ignored.



But the truth is different here. Even if you have a strong password for your account and have enabled two-factor authentication, your account can be hacked.


But how? That is ‘cookie theft’. It is much easier than you think. Let’s understand in detail.


What is cookie theft?

When you log in to a website, your browser saves something called cookies. These cookies contain your ‘session ID’. This is the thing that tells you that you have already logged in to that website.


Think of it as a ‘gate pass’. As long as you have the cookie, the website will not ask you for your password or TFA again. It simply allows you to enter the website.


If someone steals such a cookie, that person can easily use your identity or status on the website as you do. Such a person does not need your password, nor does he need TFA. Just your cookie is enough.


Some common methods used in cookie theft


1. Manual cookie theft using ‘Inspect Element’


This method is very simple. To avoid this, you need to understand where it is and how it is taken. For that, you can follow the process below.


First of all, go to any website where you have an account login in the browser and open the developer tools. (For this, you can right-click the mouse and go to the Inspect option or press ‘F12’ or ‘Fn’ together with F12.)


Then go to the Application tab and go to the Cookies option.


Now copy the Session Cookies of the logged in account like ‘session_id’, ‘auth_token’.


Then paste the session cookies in another browser. After doing this, your account will appear logged in in the browser where you are not logged in.


Here is a demo of GitHub in the Chrome browser of Windows.


First of all, go to ‘https://github.com’ and sign in. Then press F12 to open ‘Developers Tools’. Then go to the Application tab and go to the Cookies section. And click on ‘https://github.com’. Find the highlighted name (user_session and saved_user_session ID) and copy its value.


Image: Copying ‘user_session’ and ‘saved_user_session’ IDs from the browser

Image: Copying ‘user_session’ and ‘saved_user_session’ IDs from the browser


Now, paste these session IDs in the same field on another device or another browser on the same device and refresh. This way we can access the user’s account without logging in.


This example shows that someone can manually steal the session using the device.


2. Risky browser extensions


While some browser extensions may seem useful to you, they may be secretly stealing your cookies.


These extensions can silently collect all your session cookies and send them out.


The hacker then injects those collected cookies into his browser.


They now have easy access to your account. They don't need your password or TFA.


Therefore, you should only use extensions created by trusted developers. You can always check what permissions they are requesting. If they are asking for unnecessary access, you can remove them immediately.


3. Directly stealing cookie files


The major browsers we use store cookies in files within the system.


Firefox: (C:\Users\<Your_Username>\AppData\Roaming\Mozilla\Firefox\Profiles\<Profile_Name>\cookies.sqlite)


Chrome: (C:\Users\<Your_Username>\AppData\Local\Google\Chrome\User Data\Default\Cookies


)


Cookie stealing process


Initially, the hacker gains access to your computer by physically gaining access or using malware.


It copies the associated cookie files (such as cookies.sqlite or Cookies).


Then it can use your session from another computer's browser.


The browser reads those cookies.


And, the hacker can recreate your active session without a password or TwoFA and log in directly to your account.


4. Malware and scripted attacks


Hackers also use malware to steal cookies and passwords from browsers like Chrome, Firefox, and Edge. Some malware can bypass antivirus programs and silently send your data to the hacker.


This is why you should never install unauthorized, unknown, or unfamiliar software. This is especially dangerous when installing software from random websites or torrents.


Why can't TwoFA prevent cookie theft?


TwoFA only works when someone tries to log in with your account username and password. However, if a hacker gets your session cookies, they don't have to keep logging in. Once they have the session ID, the website will assume that you are the person and log them in. 

Comments

Post a Comment

If you have any doubts. Please let me know.

Popular posts from this blog

Artificial intelligence (AI) - the ability of a digital computer.

Image
Artificial intelligence Artificial intelligence (AI), the ability of a digital computer or computer-controlled robot to perform tasks typically related to an intelligent person. The term is often applied to projects of developing systems. The characteristics of intellectual processes are human characteristics, such as the ability to reason, invent, generalize, or learn from past experience. Since the development of the digital computer, it has been demonstrated that computers can be programmed to perform very complex tasks - for example, finding evidence for mathematical theorems or playing chess - with extreme efficiency. Yet, despite the steady advancement of computer processing speed and memory capacity, there are still no programs that match human flexibility in the tasks required for broad domains or more daily knowledge. On the other hand, some programs have achieved performance levels of human specialists and professionals to perform specific tasks, so that in this limited sense...
Read more

Facebook's name has been changed to 'rebranding'

Image
Facebook's name has been changed to 'rebranding' Facebook, which has been tarnished by misinformation and frequent user data leaks, has changed its corporate name. On Thursday, 17 years after its inception, Facebook announced its decision to change its corporate name to 'Meta'.
Read more

What is SEO and how to do search engine optimization?

Image
What is SEO and how to do search engine optimization? What is SEO and why is it important for a blog? The simple answer is SEO is the life of blogging. Because if you want to write any good article, if your article is not ranked properly, then the chances of getting traffic in it are negligible. In such a situation, all the hard work of the writers goes into the water.
Read more

Labels

Tech AI Technology the to is Google Artificial Intelligence how in
Social media Facebook of What a and phone on This mobile are you Do smartphone internet IT Android Nepal workforce your app from robot iPhone use Machine Learning for Python will with account can company computer data does password these twitter Apple digital feature Instagram Whatsapp YouTube be like machine media not why Tiktok new ChatGPT China an by free or out people search that website without work Future India ML corona features find information make online public video Elon Musk Microsoft One apps has market million protect social user users way year Intelligence Laptop US billion education history home service videos want Bitcoin Have Here Machine Learning Future Nepali Now Operators Scientists Wi-Fi Windows browser chrome code cyber download hacking money network photos tips world Amazon Artificial Intelligence Future Avoid Cryptocurrency If Know Learning TV Things artificial battery being human malware many need netflix photo security smart software study system there update which 10 15 Beginners Buy Deep Learning Did Privacy Who about business career chat cloud digital marketing down hacker marketing millions number phones sent two virus when work force Agriculture Bug Deep Earth GPS Gmail Google Maps Kaggle Keep NASA RAM Than Top Windows 11 World Cup Xiaomi address after also as at available camera change dangerous difference don't drive earn easy email going hacked its job jobs language life look may message news old open price really search engine settings storage store such used version watch windows 10 working 14 2020 2022 4 5 6 7 Cambridge Content Dark Web GB GPT Global Health-care Lite Maps Messages More Oppo Pakistan PayPal Print Pro QR Reasons Risk SEE SEO Samsung So Some Telegram TensorFlow Tutorial Type Types Vision Ways WiFi Zoom advertising all attack been best better biggest blue brain chip comments country created cyber attacks electricity engine eyes fake files first football function game get go government hackers hidden hours image install lost medical mind misused mode monitor moon once pay percent play problem processing program quantum robots safe scan science send share signal smartphones space stay story take their them thousands time topics tricks up using was water web where while wireless workers 000 2024 5G AI Education Alan Musk America Analytica Applications Army Blockchain Bounty CCTV COVID-19 Chat GPT Choose Clean Close Clubhouse Computer Vision Crypto DL Developer Development Docs Electric Even Explain Factory Finally Gemini Google chrome Google drive Healthcare Help Here's I IBM Japan Keras Kernels Large Lifestyle Looking MDMS Mac Models Musk Natural Ncell Net Notebooks PC Preparing Russia SIM SMS Save Scikit-Learn Skills SpaceX Stephen Hawking Sun Tesla Theme Therefore Thinking VPN Variables Word WorldLink ability accounts ads age airplane any aware background bandwidth bank become beneficial between blocked bring bully cable call cameras cannot captions capture care cause charge chatbots check come coming companies complete computers consumption copyright corona-virus courses create currency cyber security dataset datasets days delete deleted deleting details developed device dislike doctor documents doing domain due during dynamic energy engineer engineering exactly forever found fraud full gadgets games getting given good got guest handle his humans iOS iPhone 14 iPhones important including increase industry keyboard known launch law learn listen live manager map meaning megapixel memory messenger model month months most movies much name nonsense nuclear opening over own passwords phishing physics porn post posts prevent private problems product production programming protection quickly real-world reduce reward robotics run same saving say scandal searched selfie show site sold someone speaking speed spyware stuck students subscription systems target techology television tick today torrent traffic trillion universe upload verification voice war weakest women worldwide years & 'Buy the Dip' 'HDR' 'I' 'Mr. Beast' 'Professional Mode' 'football intelligence' 'hidden' 'refill station' (IoT) (LLM) (NLP) 1 100 10:10 10th 12 145 16 17 19 2 200 2007 25 35 3D 40 4000 48 4K 5 P's 60 7 C's 8 @everyone on A17 AI Tool AI ethics API AR Adjust Adobe Adopt Adsense Adsense Supports Africa Alexa Ali Baba Altman Amazon Jungle Amazon Prime Ambani American Anaconda Android 11 Android TV Android phone Annoyed Appoints Arithmetic Art Art through NFTs Artficial Intelligence Artificial neural Artuficial Intellegence Ashika Tamang Assignment Assistant Astronauts Astronomy Atrificial Inteligence Attacks Audiobooks Augmented Reality Australia Auto-GPT AutoML Avatar 2 Bachelors Banned Bard AI Based Because Before Bernie Sanders Big data BigQuery Bill Gates Bitwise Blind Blockchain Developer Blockchain Technology Books Brave Brave Browser Brazil C charger CPU CPU temperature CTEVT CV Cases Casting Changed ChatGBT Chery Chinese Citroën C5 Cloud Factory Cloud Factory Nepal Club House Colab Command Comparison Compute Concatenate Contactless Contactless payment system Copa America Copilot Couple Challenge Crash test Create your first Project on Python Crossover Cup DNS DRS Gaming Dark mode Datalab Deep Fake Deep Learinig Deep Learning with Python Deep Neural Networks Deepfake Demat Dept Development in predictive analytics Didn't Digital avatars Discontinuing Do not Dodge Dogecoin DuckDuckGo E-task EA ETF EU EV Earbuds Earth 2 Earthquake Edge Computing El Salvador Elected Electric Vehicles Electrical Elon Embedded Application Embedded Application (EA) Emoji Estimators Ethical Hacking Euro NCAP European Everyone Evolve Explained Explosion Express WiFi FPS Facebook Messenger Facebook's Facets Fears Federal Reserve System Finance Firefox FiveG Fixed wireless Follow Forge Fraud Call Freefire Freelancing GIF Git Gold Google Chat Google Cloud Google Meet Google Play Music Google Plus Google Plus code Google Workspace Google search Green room Greenroom. Spotify Guest Mode HDMI Happy Birthday Health sector Holi Honest Honeygain Huawei Hyundai ID IMD IP ISP Identify Implementing Includes Increasing Indonesia Inflation InfoSec Input Inspiration Installation Integrated circuit Intel Intelligent Internet of Things (IoT) Introduction Iranian Island Isn't JBL JPG JPMorgan Chase & Co Jack Ma January JavaScript Jio Joker Virus Jungle Jupyter Jupyter Notebooks Keys Korean LAN LLM LP Large Language Models Launch of better autonomous systems Lee Kun-hee Library Line Linux Logical Lucky MDMS Nepal ML Engine MSN MaAfee Mark Zuckerberg Max Meet Membership Mero Share Metaverse Microsoft Office Microsoft Teams Military Military weapons Mobile Operating System Module Mouse Mukesh Ambani Music Must NASA's NEA NFT NFTs Natural language processing (NLP) Nepal. radio mapping Nepali businesses Nepali game Nepali youth Nepalis NetTV Neural Network Neural Networks New Technology No Nokia North Korea Note Object Detection Open-source Opera Operating PDF PNG PPT PUBG Pandas Paytm Pendrive Photoshoot Pi Network Pip Plan Play Store Pokémon Pokémon Go Police Premium Preparations Prerequisite Prime Pro's Process Process discovery Pycharm Pyenv Python Programming Python Tutorial Python Tutorials Python for Beginners Python on Windows Quick Draw RCS Race Radically Ransomware Rashtra Bank Reboot Recommender Recommender Systems Redmi Reinforcement Reinforcement learning Reliance Reliance Jio Remove. bg Replacing Revolution Rice that grows for years once planted Rises Robot Sophia Roles Ronaldo Routine of Nepal Banda S&P 500 S&P Global Ratings SD Scale Scaling Scikit Screen Pinning Selection Seven Shorts Singapore Sitting SixG Snapchat Sophia South Korea Space X Spam Stable Coin Starlink Steve Jobs Stock market String Success Sundar Pichai Supermarket Supervised Supervised Learning Supervised Machine Learning Supply Chain Attack Supports Swift TIFF Telecom TensorBoard TensorFLow Hub Thes Tiktok stop Time Travel Tool Training Data Transforming Trojan Truecaller Trump Trusting Type-C US Congress USA USB United States Unnecessary Unsupervised Unsupervised Learning Unsupervised LearningUnsupervised Machine Learning Unsupervised Machine Learning Upcoming Upcoming Technology Urges Using a drone VPNs VR Vehicles Virtual reality Virtualenv Visualize WWW Wait Walkthrough Walmart WeChat Wha What are Assignment Operators in Python What are Comparison Operators in Python What are Logical Operators in Python What are Operators in Python What are the basic laws of quantum physics What is What is Chat GPT What is Google Adsense What is Pycharm What is Python What is String in Python What is Variable in Python Whose Wi-Fi 6 Wikipedia WordPress Wrangling data Write X X8 series XAI XOR XSS YouTuber Ziglar Zipty Zuckerberg admin advertisers again against agency agricultural ai beauty air aircraft aired alert algorithm almost along alpha alternative analytics ancient angles announcement announces another answer answering antivirus anyone anything appear appearance appliances approach approaching approaching science meaning apps. google article artificial blood vessels arts associated attention audience authentication automatic automatically autonomous avatars back backed ban bans bar basic batteries becoming beginner benefit benefits bitcoin mine bitcoins black block boarding bogged book bought box brand break brings broadband brought browsing bug bounty build but buttons buying bypass cable internet cables calculus calls campaign can't cancer car cards careeer carry cave center challenge channel charger charging chat.com cheap cheaper checkmarks chess child children choose. a class clicking climbers clock closest club coding colleges color combat common communicate compensates compete competing computer mouse computer science concept connect cons control controls controversies could countries credit crisis criteria crore crores crowdsourcing culture cyberattack d about damaged danger dark data center data science dating apps day debit dedicated delete data depression destination devices diary die different digit digital banking digital cameras digital land digital privacy disappeared disappearing discovered discovery displaced display document dog dollars doodle door downloads dream drone drug trafficking e features e-Rupee e-books e-passport e-sewa eBooks ePassport each earn money from Nepal easier eating economy edit effective electronic else email server emails emerged emergency emojis employee employees end enough espionage etflix ethics except excessive excuse existence expected expire extracts eye face app facial verification factor facts family far farm fax fdown.net fee feet fiber fight file film final five flying foldable food fooled footprint forced foreigners forget forgotten form formats foundation free upgrade frequency freshman from search fruit fuel game tips gamer gas gasoline geometry gets gives glasses goes good content goodbye goods google docs gossip granted great groups growing had hall hand handy happen happy harmful he head headphones headset heater hobby human brain human intelligence human trafficking hundreds hurting hydrogen hype iCloud iPhone 12 Pro illegal data illicit trade image processing processor images impair inbox incidents incognito income increased incur insecure instant instrument interest internal storage internet speed into intranet introduced invented invention invest investment invites jack join journalists journey kit laboratory lakh languages last later latest launched launching lawmakers laws leak leaks legalize let letter letters light likes link lives loaded location locked longest lose loss love machine vision made main main features makes man manage management system mango marketplace martial mask matches measuring meetings melting meme messaging meta microphone middle million. downloads mine mistake mistakes mobile number moble moment monitors mountain move movie moving mute name-x naming near necessary neural neural networking new code new look new windows news anchor night mode non notes notifications now.gg nuclear energy obscene official offline open source opened operate operated operating system opposed optic optical fiber optimization option options other others our outbreak overheating oversold owner page paid pandemic paper participant participate passports password. patent pattern paying payment pen drive permanent permission person personal perspective phone confidential picture pictures pirated placed planting platform platforms political pop-up popular popularity port possible powered practice predictive pregnant prepared principles prize processor product key programmatically programming languages project prompt property pros protected proxies proxy quantum computer quantum internet quires quota r daily radio rain rainy season rate reach reading ready real reason rebranding record recovery reform refresh refreshes refrigerator regarding registered registration regulators relationship released remain remove removes removing repairing replace report requiring reset residence resolution responsibilities restaurants returned revenue review rings risks risky road robotic dog rocket room rooms round ruin rules running safely safety sale satellite saying says scary schedule scheme schools screen screens search engines secret secretly secure selectric cars sell semi-final semiconductor sending series server services shared ships shocked shortage should shoulders shuffled shuts shutting sidebar simple since sites sky sleeping smartblock smartly social engineering hacking software. tech solutions solve somewhere soon source sources space center space debris spacecraft spaceships special spectrum spend spending sponsors sports spying star starship start starting starvation steps stocks stolen stop stories strategy streaming strong student studying subject subscribers successful suggested suggestions suitable suitcase surface surprised survive t are tag tagging talent talk teach team technlogy technoloy technonlogy telecommunication terminology test text they think thousand thread threat to threats through throwaway timer tinder toilet too took topic tossing touch pad tracking trackpad trading transact transactions transport travel trending trends trip turn turns tweets unbuyable unemployed unemployment unpleasant unregistered unsafe unseen unveils upgrades useful uses various versatility very view viral virtual virtual currency virtual world vishing visit visiting vulnerabilities warning washing waterproof we weapons web design websites week well went were wet willing woman works workspace world war worrie worth writer written wrong young
Show more