Beware of Bad Cookies

November 18, 2022

Cookies are one of the most delicious inventions ever, unless it’s an HTTP cookie. Those, not so much. HTTP cookies are small text files that help web developers give you more personal, convenient website visits. These small files let websites remember you, your logins, history, your shopping carts and more. Because they remember this information, they can be a treasure trove of private info for criminals to spy on.

Session cookies are used only while navigating a website; they are stored in your device’s memory and are deleted as soon as the session ends. These cookies are quite appetizing to cyber criminals - cookie hijacking (or session hijacking) is one way these bad actors can access and steal your personal data. Once the attacker has a user’s session cookie, they can log in to a website and do pretty much anything you could do, including changing your password. And this is often automated, so it happens in just seconds.

Cybercriminals can gain access to your cookies in a number of ways, including sending you a fake link, monitoring your traffic on unsecured public wifi, or by leveraging malware that might already be running on your device due to a past phishing email.  You can limit your risk of cookie hijacking attempts by doing the following:

  • Check the URL: Ensure  your traffic is encrypted by ensuring the link begins with HTTPS
  • Connect Safely: Avoid free, public Wi-Fi, especially ones with no password! Your cellular connection is always a better bet; use your hotspot if you have one
  • Cookie Consent Banner: When provided the option, always choose Reject All. Other than strictly necessary cookies, which are exempt from cookie consent, users are given the ability to decide whether a website can drop cookies on their device or not 
  • Log Off: When you’re done with a website, log off so your session cookies are deleted
  • Delete Cookies: Regular clean up can ensure leftover browsing activity data is gone
  • Use a VPN: Use a Virtual Private Network, which hides your IP address and encrypts your traffic, whenever possible

Visit https://www.kaspersky.com/resource-center/definitions/cookies to learn more about the function, types, and potential abuse of cookies.

UA Security Matters is a system-wide effort to increase awareness on cybersecurity topics. For more information, please visit the UA Security Matters website at https://alaska.edu/securitymatters/index.php or email us at ua-securitymatters@alaska.edu.