Billions of Cookies Up For Grabs As Experts Warn Over Session Security (theregister.com)
- Reference: 0177875349
- News link: https://it.slashdot.org/story/25/05/31/0020249/billions-of-cookies-up-for-grabs-as-experts-warn-over-session-security
- Source link: https://www.theregister.com/2025/05/29/billions_of_cookies_available/
> More than 93.7 billion of them are currently available for criminals to buy online and of those, between 7-9 percent are active, on average, according to NordVPN's breakdown of stolen cookies by country. Adrianus Warmenhoven, cybersecurity advisor at NordVPN, said: "Cookies may seem harmless, but in the wrong hands, they're digital keys to our most private information. What was designed to enhance convenience is now a growing vulnerability exploited by cybercriminals worldwide. Most people don't realize that a stolen cookie can be just as dangerous as a password, despite being so willing to accept cookies when visiting websites, just to get rid of the prompt at the bottom of the screen. However, once these are intercepted, a cookie can give hackers direct access to all sorts of accounts containing sensitive data, without any login required."
>
> The vast majority of stolen cookies (90.25 percent) contain ID data, used to uniquely identify users and deliver targeted ads. They can also contain data such as names, home and email addresses, locations, passwords, phone numbers, and genders, although these data points are only present in around 0.5 percent of all stolen cookies. The risk of ruinous personal data exposure as a result of cookie theft is therefore pretty slim. Aside from ID cookies, the other statistically significant type of data that these can contain are details of users' sessions. Over 1.2 billion of these are still up for grabs (roughly 6 percent of the total), and these are generally seen as more of a concern.
[1] https://www.theregister.com/2025/05/29/billions_of_cookies_available/
Billions of cookies (Score:1)
Send them to Gaza - aren't they all starving there?
Re: Billions of cookies (Score:2)
The purchaser appears to live on "Sesame St." Weird.
The article should say.... (Score:1)
Closed source platforms still trading users creds to develop "user expeirence" (open source too).....
All due to gross incompetence (Score:2)
One of the most important characteristic of a secure access cookie is "seesion only" or at the very least "short lifetime". As in "same day". But we have too many crappy applications made by people that do not even understand the very basics of security.
Holy shit, Lone Gunmen was right again (Score:2)
[1]https://m.youtube.com/watch?v=... [youtube.com]
They compromised our cookie!
[1] https://m.youtube.com/watch?v=kgWQOn7Kyu8&t=1s&pp=2AEBkAIB
Cookies! (Score:2)
[1]https://www.youtube.com/watch?... [youtube.com]
[1] https://www.youtube.com/watch?v=J4IbbvbPMgM
Enforced Standards (Score:4)
I think this is another example of how unregulated systems fail. As I understand it, cookies are supposed to be secure when done properly. But there is no way to enforce them being done properly. Its past time that programming standards are established and enforced. AI makes that even more important. There needs to be some way found to reliably test output.
Name and shame (Score:3)
I would like to see some group inspect those cookies and domains to see which ones aren't using the feature properly through encryption, timeouts, etc. Nothing wrong with cookies and sessions. Who would want to login constantly, but there's a right way and wrong way. If any financial institutions aren't managing sessions properly, we should know who they are.
Re: (Score:1)
Doesn't seem like the ENTIRE scamable crypto front end was developed just to exploit this ...?