Catching the Hand in the Cookie Jar: Canary Session Cookies

Multifactor Authentication (MFA) has advanced information security beyond the dark days of a simple username and password. While this additional layer of protection is essential, the foundation of internet authentication still largely rests on an antiquated (and inherently insecure) technology: the browser cookie. No matter how many authentication factors are used, many web applications still ultimately grant or deny access based on the contents of cookies. The cookie is a bearer token, meaning anyone with possession of the authentication cookie is granted access to the resource – no questions (or passwords) required. While MFA added a mechanism to authenticate users, there have been few advancements in securing the actual token derived from that authentication process. The value in these cookies and other browser-stored information (autofill data like passwords and credit card numbers) is well known to hackers, as the information-stealing business has grown over the last five years. According to one estimate, in 2024 alone, over 450 million people had their cookies and other sensitive data pilfered by just one infostealer (Flashpoint, 2024). This project demonstrates how even applications secured with MFA are still vulnerable to hijacked session cookies. Given the persistent threats posed to organizations by stolen authentication cookies, this research proposes implementing Canary session cookies to detect the theft and malicious use of credentials.