A seemingly harmless Chrome extension can now hijack your digital keys—stealing Azure session cookies and bypassing MFA. Curious how this stealthy Cookie-Bite attack works and what you can do to stay secure?
https://thedefendopsdiaries.com/understanding-and-mitigating-the-cookie-bite-attack/
#cookiebiteattack
#azuresecurity
#sessioncookies
#cyberthreats
#microsoft365security
Learn how Slack automatically detect stolen session cookies: https://slack.engineering/catching-compromised-cookies/
Google fighting back against session hijackers: stolen cookies to be worthless
https://cybernews.com/tech/google-fighting-against-session-hijackers-cookies/ #cybersecurity #gmail #youtube #sessioncookies
@11110110101 @heiseonline
Wenn ich das Original (https://www.cloudsek.com/blog/compromising-google-accounts-malwares-exploiting-undocumented-oauth2-functionality-for-session-hijacking) richtig lese, besteht das Problem nur für schon geknackt Accounts. Vermutlich hilft MFA, damit es gar nicht so weit kommt?
Sonst:
"If you suspect your account may have been compromised, or as a general precaution, sign out of all browser profiles to invalidate the current session tokens. Following this, reset your password and sign back in to generate new tokens."
Sneak peek at the new ronin-web session-cookie command coming in ronin-web-1.1.0:
$ ./bin/ronin-web session-cookie "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
}
$ ./bin/ronin-web session-cookie --verbose "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
Type: JWT
Header:
{
"alg": "HS256",
"typ": "JWT"
}
Params:
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
}
HMAC: "I\xf9J\xc7\x04IH\xc7\x8a(\\\x90O\x87\xf0\xa4\xc7\x89\x7f~\x8f:N\xb2%V\x9dB\xcb0\xe5"
@wilson I had to figure out Django's weird "project" vs. "app" design, and wire up a "view" to set a "session variable" which apparently you do by modifying request.session, and set SESSION_ENGINE to ' django.contrib.sessions.backends.signed_cookies', but I finally got it:
Set-Cookie: sessionid=eyJmb28iOiJiYXIifQ:1pQcTx:UufiSnuPIjNs7zOAJS0UpqnyvRt7KET7BVes0I8LYbA; expires=Fri, 24 Feb 2023 23:07:05 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Lax
The first part of the session cookie is the Base64 JSON serialized session variables. Second part appears to be the request ID or some kind of counter, and the third parts must be related to the HMAC:
If I set SESSION_SERIALIZER to 'django.contrib.sessions.serializers.PickleSerializer' (which is apparently getting removed in 5.0, but is probably still used), I get the pickled session variables:
Set-Cookie: sessionid=gAWVEAAAAAAAAAB9lIwDZm9vlIwDYmFylHMu:1pQcay:RjaK8DKN4xXQ_APIXXWEyFS08Q-PGo6UlRBFpedFk9M; expires=Fri, 24 Feb 2023 23:14:20 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Lax
Why is it so hard to get an example of what a Set-Cookie session cookie header looks like for Django? No, I don't want to know how to use cookies in a Django app, I want to see the raw HTTP output. I swear Google is getting worse.
Edit: appears that I'm specifically looking for an example output of django.contrib.sessions.serializers.PickleSerializer or django.contrib.sessions.backends.signed_cookies, not the standard sessionid=....
#django #http #sessioncookies
So amazing add-ons for @Firefox... #cookieAutoClean and #uBlockOrigin allow finely and granular management of #sessionCookies for one #js and for the other. With additional containment of dedicated domains e.g. #google, #amazon #facebook and so on, there is little more to do for proper #provacyProtection on the web
