What are Forged Cookie Attacks, and Why are They in the News?

yahoo cookie forgery
Share the knowledge

There has been quite a bit in the news this week about “forged cookies” and “forged cookie attacks”, but little to actually explain them. A forged cookie attack is exactly what it sounds like though: a way for hackers to forge the information in your browser cookie, and when that information includes an authentication mechanism, voila! They can log into your account.

The reason that forged cookies have been in the news recently is because Yahoo just this week notified an untold number of users that their accounts may have been compromised in a forged cookie breach.

The email notice that Yahoo sent out regarding the forged cookies says:

Our outside forensic experts have been investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account.

Get New Internet Patrol Articles by Email!

The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.

CashApp us Square Cash app link

Venmo us Venmo link

Paypal us Paypal link

 

Some sites, such as Arstechnica, are saying that the forged cookie hack may have been from as far back as the Yahoo data breach of 2014.

The cookie breach was actually revealed back in October of 2016, but quietly (some would say slyly), when Yahoo revealed it buried deep in their quarterly SEC filing, saying in that SEC document that “…forensic experts are currently investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the Security Incident, created cookies that could have enabled such intruder to bypass the need for a password to access certain users’ accounts or account information.”

yahoo forged cookie cookies security breach

 

Yahoo has said that they have invalidated the forged cookies, but of course not before a given user’s account may have been improperly accessed.

Get New Internet Patrol Articles by Email!

The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.

CashApp us Square Cash app link

Venmo us Venmo link

Paypal us Paypal link

 


Share the knowledge

Leave a Reply

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.