What is Browser Session Token Hijacking?

Browser Session Token Hijacking: A Rising Threat to Businesses

Browser Session Token Hijack attacks are on the rise! We have seen numerous instances of businesses being targeted in these types of attack throughout 2024. However, this grave cyber security threat isn’t new, and many overlook the profoundly serious threat is poses, with potential risks to not just individuals but entire businesses. This is something that Linus Media Group, a renowned technology YouTube channel (Including Linus Tech Tips, Techquickie, TechLinked, ShortCircuit and others), experienced in early 2023 and illustrates the potentially devastating threat which this poses to businesses.

What is Browser Session Token Hijacking?

Browser Session Token Hijacking involves the unlawful theft or manipulation of "tokens" that authenticate user sessions within a web browser. Once these tokens are stolen, attackers can clone the user's browser session, thereby circumventing password controls and even multi-factor authentication (2FA/MFA) for online accounts. This can include active sessions such as accessing email accounts, online shopping, social media and even your online banking or web based payroll portals. 

An our example of this, Linus Media Group, despite employing robust passwords and multi-factor authentication, their YouTube account was compromised through this very attack method. A user downloaded a PDF (however this could be any type of file sent through email), believed to be from a brand sponsor, which infected the user's machine. The attacker then managed to steal the signed in user session which included access to a number of their YouTube channels, attackers then proceeded to hide their videos, hijack, rename multiple channels and use those channels to live stream fraudulent content.

This occurrence exposed shortcomings in YouTube's permissions for session, and user management, demonstrating that even well-secured businesses are not immune to this type of attack. Thankfully in the case of Linus Media Group they were able act quickly, took the affected user off the network and destroyed the SSD (Solid State Drive) and managed to work with YouTube to resolve the issue. Due to the users' access levels not having access to all accounts (or other areas of their business), attackers were also not able to access their website, online store, forum, validation labs servers or their own independent video hosting platform.

Why is Browser Session Token Hijacking a Danger to Businesses?

Whilst in the case of Linus Media Group they were able to get this issue resolved, the potential ramifications for other businesses could be severe. In today's era of online collaboration and cloud computing, where employees access company resources via web browsers such as Sharepoint Online, OneDrive, Dropbox, Adobe Creative Cloud, Sage Online and even online banking transactions, a hijacked session token could grant attackers unrestricted access to confidential data, financial records, bank accounts, email services, cloud storage, social media platforms, proprietary assets and much more. If a potential threat actor gains access to even just one of these services it could have potentially devastating consequences for the business, but accounts such as your business emails could also be used to potentially launch additional Supply Chain based attacks.

How can your Business stay protected from Browser Session Token Hijacking?

The key to averting this risk starts with a comprehensive cyber security solution. In a March 24th episode of their Podcast “The WAN Show”, host Luke Lafreniere stated that the attack occurred as the Malware Signature was not picked up by their Anti-Virus before the damage had already been done. Their cyber security solution did generate an alert, however, no automated actions took place in the middle of the night, & when the compromised device was identified, they did not have the staff available to remediate the issue immediately. If they had had a 24/7 Security Operations Centre (SOC) available to them, the SOC would have been able to identify the security breach as it was happening and take measures to prevent it whilst also working with their in-house technical team.

Businesses must recognise that Browser Session Token Hijacking is not merely a hypothetical hazard; it is a concrete threat with real-life implications. To defend against this hidden danger, businesses can mitigate the risks of attack through a number of solutions: 

• Use Customisable Permissions: Only grant specific access rights based on the user's role, through solutions such as PIM, limiting the potential damage from compromised accounts.
• Introduce a Clear All Sessions Solution: Some online services will allow administrators to clear all active signed in sessions, meaning that they can immediately log all users out of their accounts and require password and 2FA access back into their accounts. Web Browsers such as Google Chrome, Microsoft Edge and others are also able to clear all sessions on close, meaning that you would be required to sign back into all services each time you close and re-open a browser.
• Regular Cyber Security Audits and Training: Conducting regular Cyber Security checks and educating employees on the risks of phishing attacks and other cyber security threats will build a robust defence line against these types of attack. For advice on how to spot and prevent phishing, read our article about this.
• Implement a Comprehensive Cyber Security Solution: At TwentyFour we can work with businesses to assess their current Cyber Defence Level, perform Penetration Testing to probe your business for weaknesses, work to understand their business, who has access to what, and who requires access. Implementing a comprehensive cyber security solution, including active monitoring through a security operations centre, can help to protect your business from a wide range of threats, including browser session token hijacking.

The breach of security, such as the one at Linus Media Group, are a very public wake-up call for businesses worldwide, and unfortunately these Token Session Hijack attacks are on the rise in 2024.

In a world where cyber security threats against businesses grow and evolve every day, understanding and guarding against attacks like Browser Session Token Hijacking must be a top priority.  

By embracing the practices mentioned above and fostering a culture of constant vigilance and learning, businesses can create a formidable barrier against this and other cyber threats.