Back to Blog

Why Hackers Can’t Resist Your Cookies

4.9 (116)

We break down how hackers steal cookies, what session IDs do, and how to keep your cookies safe from cybercriminals.

AVIF image format comparison

Almost every website you visit will greet you with a pop-up about cookies. Usually, you can choose to accept all cookies, allow only the necessary ones, or reject them entirely. Whatever option you pick, you might not notice much difference, and the notice will typically disappear after a moment.

In this article, we’ll explore cookies in more detail: what they do, the different types, how hackers can exploit them, the risks involved, and how you can protect yourself online.

What are cookies?

Whenever you visit a website, it can send a cookie to your browser — a small text file containing information about you, your device, and your actions on that site. Your browser saves this data and sends it back to the server each time you return, making your experience smoother: you don’t have to log in repeatedly, websites remember your preferences, online stores retain items in your cart, and streaming platforms track where you left off. The convenience is endless.

Cookies can store login info, passwords, security tokens, phone numbers, addresses, bank details, and session IDs. Let’s take a closer look at session identifiers.

A session ID is a unique code assigned to a user when they log in. If a hacker gets hold of this code, they can impersonate the user. Think of it like an electronic office pass: if stolen, anyone can access doors you have access to, and the security system thinks it’s you. Online, this means a stolen cookie can let a hacker access a website as you without needing your username or password, sometimes even bypassing two-factor authentication. In 2023, Linus Sebastian’s three YouTube channels — including “Linus Tech Tips” — were hijacked in precisely this way. We’ve covered this incident in detail.

Types of cookies

Cookies can be categorized in several ways.

By duration

  • Session cookies: These exist only while you’re on the site and are deleted once you leave. They help keep you signed in or remember language and region settings.
  • Persistent cookies: These remain on your device after you leave, sparing you from repeatedly accepting cookie policies. They often last around a year.

Some session cookies can become persistent if you select options like “Remember me” or “Save settings.”

By origin

  • First-party cookies: Created by the website itself to ensure proper functionality and user experience. They may also support analytics and marketing.
  • Third-party cookies: Set by external services, often for ads and analytics. They may store login credentials for social media platforms to allow quick interactions like likes or shares.

By purpose

  • Essential cookies: Needed for core website functions, such as user accounts and secure sessions on e-commerce sites.
  • Optional cookies: Track user behavior for marketing and analytics. These usually don’t affect the site’s functionality.

By storage method

  • Stored as text files in the browser. Clearing browser data removes them, and the sites won’t recognize you anymore.
  • Supercookies and evercookies are special types stored unusually to avoid deletion. Evercookies, for instance, can be restored via JavaScript even after removal, making user tracking persistent. Learn more about them here.

Cookies can belong to multiple categories: optional cookies are often third-party, while essential cookies can be temporary but crucial for session security. Read the full report on Securelist for more details.

How session IDs are stolen

Cookies containing session IDs are prime targets for hackers. This is known as session hijacking. Here are common methods:

Session sniffing

Hackers can intercept traffic between your browser and the website, especially on HTTP sites where cookies are sent in plain text. Public Wi-Fi networks without strong encryption are particularly risky. Use caution on public networks, or consider mobile data or secure options like ImgConverter eSIM.

Cross-site scripting (XSS)

XSS exploits vulnerabilities in website code, allowing attackers to inject scripts that steal cookies when you visit the affected page.

Cross-site request forgery (CSRF/XSRF)

CSRF tricks your browser into performing actions without your knowledge, like changing passwords or deleting content. Avoid clicking suspicious links and consider tools like ImgConverter Password Manager to warn you of malicious pages.

Predictable session IDs

Some websites generate session IDs in predictable ways. Hackers can analyze patterns to guess valid session IDs without sophisticated attacks.

Other techniques include session fixation, cookie tossing, and MitM attacks. Details are in our Securelist post.

Protecting yourself from cookie theft

While developers bear much responsibility, users can take proactive steps:

  • Use HTTPS sites only for entering personal info.
  • Heed browser warnings about suspicious certificates.
  • Keep browsers updated or enable automatic updates.
  • Regularly clear cookies and cache to remove old session data.
  • Avoid suspicious links, especially from unknown sources. Tools like ImgConverter Premium can alert you before visiting malicious sites.
  • Enable two-factor authentication (2FA) whenever possible, storing tokens safely with ImgConverter Password Manager.
  • Accept only essential cookies instead of all cookies by default.
  • Use public Wi-Fi only when necessary and avoid logging into sensitive accounts on such networks.