Thursday, September 4, 2025, 12:22 PM
×

Don’t Let the Cookies Bite: Kaspersky Warns of Rising Web Session Hijacking Risks

Thursday 4 September 2025 10:16
Don’t Let the Cookies Bite: Kaspersky Warns of Rising Web Session Hijacking Risks

A new report from Kaspersky highlights a growing cybersecurity concern: the hijacking of web session cookies. While 87% of surveyed websites display cookie notifications, most users remain unaware of the dangers these small text files may pose.

Cookies are designed to enhance browsing by storing preferences, login data, and other details. But when exploited, they can expose users to cyberattacks. One of the most alarming threats is session ID hijacking, where attackers gain unauthorized access to an active online session. This can enable malicious actors to retrieve sensitive information or even perform unauthorized actions on behalf of the victim, such as fraudulent transactions.

How Session Hijacking Works
Depending on website settings, cookies can contain anything from basic browsing preferences to personal data, payment information, or login credentials. Attackers use various techniques to steal these files:

  • Session sniffing: intercepting session IDs on unsecured public Wi-Fi or on websites using HTTP instead of HTTPS.

  • Cross-site scripting (XSS): injecting malicious code into a site that runs in the user’s browser to steal cookie data.

  • Session fixation: tricking a victim into using a pre-set session ID, giving attackers access once the user logs in.

In real-world cases, this could mean stolen shipping addresses, compromised payment details, account takeovers, or even identity theft. Victims also risk reputational harm if their accounts are used for spam or fraudulent activity.

Expert Warning
“Cookies are the backbone of seamless online experiences, enabling everything from personalized settings to streamlined logins. But they’re also a target for hackers if not handled with care,” said Natalya Zakuskina, Senior Web Content Analyst at Kaspersky. “Without proper safeguards, attackers can exploit session IDs to hijack user accounts, steal sensitive data, or manipulate website interactions. Developers must prioritize stronger protections, and users need to stay proactive in defending their digital footprint.”

Kaspersky’s Recommendations
For users:

  • Avoid entering sensitive information on HTTP-based websites and refrain from using public Wi-Fi without a VPN.

  • Accept only essential cookies when possible, and clear browser cookies and cache regularly.

  • Enable two-factor authentication and avoid suspicious links.

For developers:

  • Enforce HTTPS across all pages.

  • Use HttpOnly and Secure cookie flags.

  • Implement CSRF tokens.

  • Ensure session IDs are cryptographically secure.