What are Forged Cookie Attacks, and Why are They in the News?

If you find this useful please share it!


There has been quite a bit in the news this week about “forged cookies” and “forged cookie attacks”, but little to actually explain them. A forged cookie attack is exactly what it sounds like though: a way for hackers to forge the information in your browser cookie, and when that information includes an authentication mechanism, voila! They can log into your account.

The reason that forged cookies have been in the news recently is because Yahoo just this week notified an untold number of users that their accounts may have been compromised in a forged cookie breach.

The email notice that Yahoo sent out regarding the forged cookies says:


Our outside forensic experts have been investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account.

Some sites, such as Arstechnica, are saying that the forged cookie hack may have been from as far back as the Yahoo data breach of 2014.

(Article continues below)
Get notified of new Internet Patrol articles for free!
Or Read Internet Patrol Articles Right in Your Inbox!
as Soon as They are Published! Only $1 a Month!

Imagine being able to read full articles right in your email, or on your phone, without ever having to click through to the website unless you want to! Just $1 a month and you can cancel at any time!
What are Forged Cookie Attacks, and Why are They in the News?

The cookie breach was actually revealed back in October of 2016, but quietly (some would say slyly), when Yahoo revealed it buried deep in their quarterly SEC filing, saying in that SEC document that “…forensic experts are currently investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the Security Incident, created cookies that could have enabled such intruder to bypass the need for a password to access certain users’ accounts or account information.”


yahoo forged cookie cookies security breach


Yahoo has said that they have invalidated the forged cookies, but of course not before a given user’s account may have been improperly accessed.

No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free? Thank you!

What are Forged Cookie Attacks, and Why are They in the News?

Get notified of new Internet Patrol articles!
People also searched for protecting against forged cookies, types of forged cookie

If you find this useful please share it!

Leave a Reply

Your email address will not be published. Required fields are marked *