Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion
‎08-20-2022 12:24 AM
‎08-20-2022 12:24 AM

Cookies under attack by hackers especially against 2FA

Hi All

 

It appears that hackers have found a way to get around 2FA systems, through the use of Cookies in particular environments.

 

https://www-digitaltrends-com.cdn.ampproject.org/c/s/www.digitaltrends.com/computing/hackers-are-usi...

 

Here is the Sophos reference link: 

 

https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass/

 

Is it viable or true?

 

Regards

 

Caute_Cautim

Reply
3 Replies
wimremes
Contributor III
‎08-21-2022 08:56 AM
‎08-21-2022 08:56 AM

As always, the answer is "it depends".

 

Cookies could be stolen en reused, but not always.

The reuse of Cookies might side-step MFA, but not always.

 

Framing it as all cookies can be stolen, reused, and in those cases MFA can always be side-stepped is completely wrong.

 

I'll come back to this when and if I have time to elaborate but for well-known services like O365, Google, AWS, etc. I'd say the claim is false. Most likely the examples relate to cookies for legacy systems that don't use current ways of authenticating users and provide pathways to MFA circumvention by default. 


Sic semper tyrannis.
Reply
denbesten
Community Champion
‎08-21-2022 12:19 PM
‎08-21-2022 12:19 PM

Is this not just "session hijacking", for which the defenses have been known for years .... validate the source-IP or client-cert at the start of each connection within the session; be on the lookout for unrelated simultaneous use, limit session length, etc.

Reply
wimremes
Contributor III
‎08-21-2022 04:02 PM
‎08-21-2022 04:02 PM

@denbesten wrote:

Is this not just "session hijacking", for which the defenses have been known for years .... validate the source-IP or client-cert at the start of each connection within the session; be on the lookout for unrelated simultaneous use, limit session length, etc.

yes 🙂 but not if you're Sophos and you need to scare part time IT people at SMBs into forking over money for the illusion of protection.


Sic semper tyrannis.
Reply