Cookie hacking. Hijacking even w TFA

Suggestions on how to avoid?

The video you posted has suggestions on how to avoid it. But it’s the same as always, don’t open strange files you download from the internet, etc.

1 Like

I’m sorry; I couldn’t resist. :joy:

1 Like

Moral of the story, don’t use Google Chrome and process your email using a mail client.

I always use a mail client, Apple Mail. May I ask why using a mail client adds additional protection against what was described in the video? I’m not an expert in these matters so I’m just looking for a simple summary, if such a thing is possible.:slightly_smiling_face:

Article explaining it:,to%20change%20your%20password%20immediately.

I think MacExpert is overstating it. You can avoid the malware the same way as you avoid most of them. Don’t click links in email, don’t open strange files you get online, etc. All of these are really easy to avoid. If you have the malware on your computer, then you need to worry about checking Gmail through Chrome. At least as I understand it.

I have seen a couple of cases where a technically well versed YouTuber has his channel taken over. One got even taken over twice!

The common denominator was that they all were using Google Chrome and processing their email using Gmail. Yes they should not have opened a file that was disguised as an agreement for promotion of a product on their channel (targeted attack!). But on the other hand that’s how business is done. Surely they could / should have paid closer attention but I can understand how these mistakes are made.

Therefor my blanket advice to all my clients is to use Safari as their predominant web browser and use an email client like the default Apple Mail App to process mail.

At a minimum run the free version of Malware bytes on a regular basis. And if possible use CleanmyMacX so clean out the browsers and the system in general. It also has a decent malware protection build inn.

High value targets or those who for some reason keep on attracting malware on their Mac’s I prefer to sun Sophos anti virus.

1 Like

Thanks for your input. Based on what you have shared, I’m probably as “protected” as a “tech layman” can be. Safari is my default browser, Apple Mail is my email client, and I periodically run CleanMyMacX. I don’t click on links from people I don’t know. I don’t even click on attachments or links from people I know or entities I do business with. I go directly to the source. And I don’t use social media, so that is not a vector for infection or phishing attacks. I also use unique passwords for all sites and use 2FA whenever available. I use ExpressVPN when connecting to the internet in public. Everyone is susceptible to being fooled, but I’m careful. Thus far, :crossed_fingers:t2:I’ve never had malware or been hacked.

He says on a forum he regularly posts to. :stuck_out_tongue:


Haven’t watched the video yet, but can anyone explain me why Safari would be safer than Chrome on this aspect?

(Pure curiosity; I don’t use Chrome because of privacy concerns)

Chrome is targeted more because it is popular and it allows more tracking, while Safari is more locked down/privacy focused.

1 Like

Stealing a cookie from someone’s computer is only one way to perform a replay attack. AFAIK the browser we use makes little or no difference if our computer is infected.


Safari/Webkit is pretty popular with the dark side too.

I am talking about in general (referencing the Gmail in Chrome thing), not this specific cookie hacking.

1 Like

:rofl: Indeed, but I don’t consider this forum “social media” per se. " That’s My Story." :slightly_smiling_face:

1 Like

Because Chrome stores everything SQLite including the stored passwords and cookies.
Since Google Chrome is the most commonly used web browser the criminals made the effort to hack this vulnerability.

Safari stores passwords in a separate well protected database “Keychain” and is overall much more conservative with allowing websites doing things inside the browser. This is also why many people don’t like to use Safari because it sometimes (often) “doesn’t work”. You can usually make a stubborn website work by changing a few settings in Safari > Settings > Websites (Content Blocker + Auto Play + Pop Ups) AS NEEDED. If the website still doen’t want to “work” in Safari one has to wonder why the website needs more access and if it can be trusted…

1 Like

I was very surprised to see this statement because I had thought that everything is an SQLite database in Apple systems. And according to this support article, so is the keychain. But this article also mentions the stout defenses Apple has put up around this particular SQLite db.

Keychain data protection - Assistance Apple (MA)

The keychain is implemented as a SQLite database, stored on the file system. There is only one database, and the securityd daemon determines which keychain items each process or app can access …


While SQLite is used by many Apple programs, e.g Mail, the data itself is encrypted.

Right. That was made clear in the support document that I referenced.

Is cookie hijacking usually done by (scripts on) websites or by malware running on a Mac/PC/…?

"imagine an attack that aims to acquire this session cookie and then use it to impersonate you on the targeted website, all from a different computer controlled by the attacker. This action of replaying the session cookie isn’t particularly complex and can be accomplished by importing the cookie into most popular web browsers using simple browser extensions. It is important to note that this doesn’t require sophisticated nation-state-level hacking tools.

Attackers employ several methods to acquire these valuable cookies. They may deploy malware on infected machines to collect cookies directly from web browsers. Alternatively, they might execute Man-in-the-Middle attacks, intercepting cookies from users by using a malicious server that sits between the user’s browser and the target service. Lately, we’ve also seen attackers compromise technical support systems, which conveniently contain recently-exported session cookies from users, originally intended for legitimate troubleshooting purposes."

Quote from:
Defending Your Organization Against Session Cookie Replay Attacks