Stealing cookies: Researchers describe how to bypass modern authentication

Passwords and other knowledge-based forms of authenticating user identity continue to be a weak point in the security of digital systems. 

Stolen credentials have been a factor in nearly a third of all breaches tracked by Verizon over the past decade, according to its recently released Data Breach Investigation Report. They’re also the first thing most attackers are likely to look for after gaining initial access, highlighting the central role that passwords and other credentials have become to modern compromises.

That development has led to the rise in popularity of more modern authentication methods and standards like FIDO2, which verifies users via unique cryptographic credentials generated by and tied to hardware devices, like a smartphone or desktop. This form of authentication does not rely on passwords, instead pairing a security key or biometric ID on a hardware device with multifactor authentication to access applications through a single sign on (SSO) solution.

But even these protections can be sidestepped in some circumstances by a determined attacker. In research shared exclusively with CyberScoop ahead of this week’s RSA Conference, Silverfort’s Dor Segal and Yiftach Keshet laid out a method for bypassing this form of authentication, via a man-in-the-middle (MITM) attack capable of hijacking and replicating user sessions in many applications that use SSO solutions, including Microsoft Entra ID and PingFederate.

Standards like FIDO2 were developed to protect users and businesses against phishing and MITM attacks, in large part by moving away from authentication factors — such as passwords — that can be stolen through hacking or social engineering and replacing them with hardware, security keys or biometric signals that are much more difficult to obtain.

But this method relies on third-party solutions, like SSO, that must create an authentication session to serve as a gateway between the user and the application they’re accessing. While internet protocols like Transport Layer Security encrypt traffic on the front end of that process, those protections don’t extend to the tokens and traffic sessions they are used to authenticate, which can linger and endure for hours.

Tokens function like a digital key to keep a digital door ajar once it’s been opened, and even when technology like FIDO2 is in use, an attacker situated between the victim and the application can intercept and re-use these session tokens to gain access to a user’s account, Segal said.

“Once the authentication has ended successfully, there is an entire authenticated session in which sensitive data is sent back and forth,” Segal said. “And this session token itself can be replicated over and over and over again, with no geographic protection or limitation on [the number of] tokens.”

Keshet said this kind of attack is possible because the most common implementation of standards like FIDO2 tends to offer strong protection during the authentication phase, but once a user is authenticated, there are few restrictions for what they can access with a valid session.

This form of authentication “makes it very hard to get through the door, but once you’ve got through the door, then you are fine,” Keshet said. “You have the token of your firewall to authenticate it, then an attacker can hijack the session and replicate it and do whatever they want.”

Some necessary caveats: This kind of attack can only be pulled off in relatively narrow circumstances by a dedicated attacker. Segal said the user would need to have installed a malicious browser extension or be in transit and use public Wi-Fi where their traffic could be intercepted and decrypted through a MITM attack. That means an attack like this could only work under a limited set of conditions.

While this method would allow an attacker to bypass protections offered by passwordless standards like FIDO2, Segal said it is ultimately the responsibility of application developers to prevent misuse of the session tokens they create. While Silverfort’s research does point toward some holes in the overall process that standards like FIDO2 rely on, the researchers emphasized that such methods remain vastly superior to passwords and knowledge-based forms of identity protection. 

Jeremy Grant, a policy adviser at the FIDO Alliance who served as program lead during the Obama administration for the White House National Strategy for Trusted Identities in Cyberspace, told CyberScoop that the bypass methods outlined in the research are technically correct but do not reflect flaws or vulnerabilities in FIDO’s authentication standards.

Rather, it highlights the inability of industry to create a common way to protect authentication tokens from being stolen or abused.

The type of attack described by Silverfort’s research can be mitigated by a technique known as “token binding,” but the companies that maintain the ubiquitous applications that would need to be protected using this tool have failed to embrace it.  

Token binding works by adding an additional security layer, explicitly binding the authenticated session token to the underlying TLS handshake that is used to encrypt traffic on the front end. In practice, this means only the actual user would be able to use that token to access applications, and it would prevent an attacker from replicating that session indefinitely to maintain their access.

“This will practically validate that the token can be used only within the context of this single, authenticated session [and] can’t be used anywhere else,” Keshet said.

Major tech companies like Google, Microsoft, Yubico and others have embraced token binding in some of their products, but overall adoption remains low. The only major browser to support token binding is Microsoft Edge.

In 2018, Chromium, an open-source web browser project maintained by Google that develops much of the underlying codebase for Google Chrome and other browsers, discontinued support for token binding, with developers citing limited benefits and low adoption rates.

“After weighing the security benefit of Token Binding against the engineering costs, maintenance costs, web compatibility risk, and adoption, it does not make sense to ship this feature,” Chromium developer Nick Harper wrote at the time, citing metrics indicating that less than .01% of observed HTTPS requests had token binding turned on.

Last month, Google announced it would be implementing a Beta version of what it called “Device Bound Session Credentials,” which operate in a similar way by binding authentication sessions to specific devices, to protect against session and cookie theft in Chrome.