There has been quite a bit in the news this week about “forged cookies” and “forged cookie attacks”, but little to actually explain them. A forged cookie attack is exactly what it sounds like though: a way for hackers to forge the information in your browser cookie, and when that information includes an authentication mechanism, voila! They can log into your account.
The reason that forged cookies have been in the news recently is because Yahoo just this week notified an untold number of users that their accounts may have been compromised in a forged cookie breach.
The email notice that Yahoo sent out regarding the forged cookies says:
Our outside forensic experts have been investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account.
The cookie breach was actually revealed back in October of 2016, but quietly (some would say slyly), when Yahoo revealed it buried deep in their quarterly SEC filing, saying in that SEC document that “…forensic experts are currently investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the Security Incident, created cookies that could have enabled such intruder to bypass the need for a password to access certain users’ accounts or account information.”
Yahoo has said that they have invalidated the forged cookies, but of course not before a given user’s account may have been improperly accessed.
|Get notified of new Internet Patrol articles!