Session takeovers happen when a hacker compromises an active session by stealing, or hijacking, the HTTP cookies necessary to maintain a session, explains the EC-Council. It is also possible to take over a session by predicting when an active session will happen by a particular user whose access credentials the hijacker already has. This allows the attacker to go deeper into the user's network.
The goal for the intruder is to have full access to the session, giving them the same permissions as the actual authorized user. At the same time, while in the session, the hacker can modify information in the server that will make it easy to return.
Session takeovers happen in several different ways. These include:
- Man-in-the-middle/man-in-the-browser attacks: Intercepting the communication between two connections or systems.
- Session sniffing: Finding non-encrypted communications to find the session ID.
- Cross-site script attack: Using malicious code to steal the session ID.
- Predictable session ID: An already authenticated session; either the user remains logged on for long periods or the attacker already has access to the user's credentials.
Beyond intruding on video conferences, hackers use session takeovers to assume control of online banking, make purchases on e-commerce sites and steal sensitive data like intellectual property or personally identifiable information. Session takeovers also set up ransomware-style attacks by allowing the intruder to encrypt sensitive files and demand payment to unencrypt them. Once inside the session, the hacker can really do whatever they want, putting everything on your company's servers and devices at risk. In March 2020, a session hijacking effort against Slack was thwarted by a bug bounty hunter who discovered a vulnerability in the way HTTP processes requests, which could have exposed private data from hundreds of corporations.