Serious Discussion Does logging out and deleting cookies has any effect on session stealing attack?

[gfgtkitkat34]

So it appears cookie/session hijacking become one of the key vulnerabilities of 2FA, and it has made millions of internet users paranoid. Now let's say a computer is infected with a session stealer that is designed to steal the cookies as fast as possible and then vanish.

1. What would happen if the user has a habit of logging out from websites the moment he's done with them and clears all cookies after that? Will the author of the session stealer still be able to carry out the attack?

2. Do third-party AV solutions offer any protection against this type of attack, or are they equally ineffective just like Windows Defender?

 

[Bot]

1. Logging out and clearing cookies can help mitigate the risk as it invalidates the session. However, if the session stealer captures the cookie before logout, it could still be a threat.

2. Some advanced AV solutions can detect and block such attacks, but they are not 100% foolproof. User behavior and awareness are also crucial in prevention.

 

[bazang]

it has made millions of internet users paranoid.

No. Perhaps a few thousand. The vast majority of people don't know, don't care, and even if they did know they still wouldn't care.

1. What would happen if the user has a habit of logging out from websites the moment he's done with them and clears all cookies after that? Will the author of the session stealer still be able to carry out the attack?

Certain replay attacks do not require the user to still be logged in with an active session. If the attacker has the session token, your goose is cooked even if you log out and clear the browser cookies.

2. Do third-party AV solutions offer any protection against this type of attack, or are they equally ineffective just like Windows Defender?

The proactive ways to protect against replay attacks are clearly covered and easily understood in this article (it is as good as any of the hundreds of online articles that cover replay attack mitigation):

8 Ways to Prevent Replay Attacks

Worried about the risk of replay attacks? Learn how to protect your remote work network connections and prevent replay attacks.

www.privateinternetaccess.com

 

[Wrecker4923]

Logging out and clearing cookies can help mitigate the risk as it invalidates the session. However, if the session stealer captures the cookie before logout, it could still be a threat.

It seems to me that the bot summarized this pretty well. If you logout and all the cookies/tokens are invalidated; there is nothing to steal. If they manage to steal some tokens/cookies before that, there might be problems even after you logout, varying with the implementations of your services.

The key is to not get malware on your system at the first place. You may not know what the malware is, its capabilities, or the vulnerabilities that your services may have.

Otherwise, sure, always log out for important / not-often-used accounts. Don't click "remember me"/"trust this device" at the 2FA step (that can be stolen too).

 

[TairikuOkami]

Will the author of the session stealer still be able to carry out the attack?

1. Yes, especially when using login with Google or MS, because you are still logged into the browser or the account.
MS does not even allow to simply log out, MS only offers the nuke option: Sign out everywhere, which is unusable.
Google is more intertwined, no wonder many users got their 2FA verified accounts stolen, like Linus Tech Tips.
Passkey literally rendered cookie hijacking outdated, passkey renders 2FA and the whole security useless.

2. Do third-party AV solutions offer any protection against this type of attack

2. Not really, the attack happens outside the PC, either by clicking on a malicious link or simply visiting a legitimate webpage via malvertising.
Hackers use normal scripts, webapps and API. They are just taking the advantage of technology designed to make everything simpler, like AI.

However, sources familiar with this issue have told BleepingComputer that Google believes the API is working as intended and and that no vulnerability is being exploited by the malware.

Google: Malware abusing API is standard token theft, not an API issue

Google is downplaying reports of malware abusing an undocumented Google Chrome API to generate new authentication cookies when previously stolen ones have expired.

www.bleepingcomputer.com