i mean that as in, being able to enter my accounts without even using my password or without installing any virus in my computer. thank you!!
“Hack” is a pretty imprecise term, but let me see if I can discern what you mean by it.
I’m guessing you mean something like “log in as me,” in a way that would allow a hacker to see your private information and take actions as you, yes? (You mentioned Facebook, so something like reading private DMs and/or making posts as you would be your concern, yes?)
First off, there are some things about software security that require specialized/professional knowledge to understand, but a lot of software security is things that you can mostly work out for yourself with no “magic” involved.
You said in your original post “without using my password”, but do for sure consider that if your password is “1234” or the word “password” or something similarly easy to guess, that’s definitely one way that hacker could gain access to your accounts without comporomising your computer.
Similarly with your “secret questions” for account recovery. (That feature is usually used let you back into your account if you forget your password.) If your answers are easy to guess, that can (depending how exactly the website acts) be used to gain access to your account.
Cookies are unique identifiers that websites give you to uniquely identify you. Websites can handle requests from thousands of different users in a single second and need to be able to keep track of which requests are for the user “TootSweet” and which are for the user “adrian rodriguez” (and which are for which of the other thousands of users.) When you visit a website and your browser doesn’t give a cookie value, the website assigns you a cookie value (typically a very large number.) Thereafter, your browser will send the cookie value to the website every time your browser sends a message ot the website.
When you log in, the website saves some information on its side saying “all messages with the cookie value 12345678 are for the user ‘adrian rodriguez’.”
So, if you’re logged into a website with the “remember me” feature, that means there’s a cookie value in your browser that the website knows is you. Anyone with that cookie value can access the website as you.
Your browser does its best to make sure that that cookie value isn’t leaked to anyone. It’s supposed to be kept a secret between the website and your browser. And unless the website isn’t following good security practices, the website only assigns very large, random numbers that are very very hard for a hacker to guess.
So in practice, for a hacker to access your accounts as you via your cookies, somehow they’d have to get your cookie value. And that cookie value only exists on your computer and on the website’s computers.
If a hacker was targeting you, they might try to trick you into giving them your cookie value. They’re not terribly easy for a casual user to find, but if a hacker walked you through the process without telling you that they were trying to steal your identity and log in as you, theoretically it could be done. That would involve following some somewhat complex and opaque steps, though. Or a hacker might try to infect your computer with a virus that would go find the cookie values where your browser keeps them and send those cookie values to the hacker. There are some other potential ways they might try to steal your cookie values, but for most users, those are pretty unlikely scenarios where the hacker would probably be walking you through it step-by-step over the phone or some such.
There have been a few times when the account of someone I knew started posting spam messages or some such. I suspect in the significant majority of cases where that’s happened, it’s been because they used a very weak password or there were viruses on their computer or phone.
If that happened to you recently or you’re concerned about that potentially happening to you in the future, changing your passwords (and switching to a password manager like “LastPass” or short of that just picking a very hard-to-guess password and not reusing the same password for multiple accounts), enabling 2-factor authentication, reporting the incident to the website(s) where your account(s) were compromised (if possible), and logging out are probably your best options.
Deleting your cookies regularly can’t hurt, but it doesn’t really do anything other than log you out of all websites. (I’m oversimplifying a little, actually. But not much. It would technically be a little safer to log out of websites when you’re done using them than delete your cookies. Logging out lets the server know to stop thinking that the cookie value number is associated with your account. Deleting your cookies just makes your computer forget the cookie value. If someone already has your cookie value for a particular website, then deleting your cookies won’t do anything to revoke their access. But logging out theoretically might in some circumstances.)
Also, deleting your cookies on your phone won’t do anything about dedicated apps that you’re logged into. So, for instance, if you’re logged into the Facebook Messenger app, deleting your cookies from your browser won’t log you out of your Facebook Messenger app.
One other thing I’ll mention. You asked if providing your email address to a website could allow a hacker to access your accounts. Think to yourself: if you only knew your email address and not your password and you were logged out of an account, could you use just the email address to log in? If the answer is “no”, then chances are the same is true for “hackers.”
Sorry. I went into this post trying to explain things simply, but it’s a complex topic! I hate that there’s an extent to which you do have to be an engineer to understand some of this stuff and make good software security decisions. But there’s definitly also an extent to which you can improve your security without a degree in computer science. I hope some of this has helped at least somewhat.
i am a software developer so i know those things, and yes it’s complex, but i was afraid because i used to use firefox with cookies disabled, and i thought it was safe, but i will not give anyone my cookie value. thank you!!
It somewhat depends on what kind of accounts you mean, and how you define hacking. It’s possible, but here’s the bigger explanation.
Someone who works at Facebook(just an example, could be any company) with the appropriate access could probably look up your account data without using your password or installing a virus. This could be done for legitimate support reasons, or be considered hacking if it’s done against policy.
Someone who hacks a company that you have an account with could potentially get access to the same information again without touching your password or computer. These big leaks happen all the time, they’re the ones you hear about on the news, though they usually don’t get full access to everything. They do not usually get the actual passwords for individual accounts, but could get information like name, birthday, credit card, activity, etc.
There’s also a form of hacking called a Man in the Middle attack, where someone will set up a compromised internet connection (usually wifi) that you then connect to thinking it’s fine. This system can then detect your device connecting to certain companies (again I will use facebook as an example) and will instead take the authentication piece your phone sends, and itself send the data to facebook, then get the authorization token from facebook, and send you a fake one. Then it sits in the middle and everything you do it passes on, so it looks like it’s working fine, but it can also send it’s own requests.
so do i strengthen my browser and delete the cookies every now and then??
That wouldn’t protect from any of the issues mentioned in that comment.
The first two you can do nothing to prevent.
You can usually avoid MITM attacks by using a VPN anytime you are away from a trusted internet connection.
Also by using HTTPS everywhere and not clicking through warnings about a certificate being invalid.
HTTPS isn’t secure against MITM attacks. That’s one of the reasons why it’s so nefarious.
yes!! that option is ~enabled ~ on my browser!!
Depends on the type of account, but here are some of the common methods of how this might happen:
- The attacker could be straight up guessing the password. (One possible way to mitigate this: the website can go “wow, 10 failed login attempts from that source. I’m going to ignore all attempts from there for 24 hours.”)
- The attacker could be using previously exposed passwords. (One possible way to mitigate this: The websites should immediately require password reset for all users when that kind of data breach happens. For users: never use same password for multiple different services, certainly never reuse a compromised password even if it’s for a different service. Also: haveibeenpwned.com)
- The attacker, currently using the same network, could hijack the session. (This was a really huge problem back in the day. In this day and age, websites should be using HTTPS, which limits this very much. Still possible if the site doesn’t use HTTPS, and through some other vectors, e.g. malware or hijacked network hardware).
Also: Malware is a really scary big problem in that they’re rarely targeting you specifically. Why do that, when they can million people at the same time and sift through that stolen data for most valuable stuff, right?
but if i type my email into haveibeenpwned.com, the owners of the website will see my email and could try to pawn it? i’m sorry, but that is a concern i have.
Email addresses are pretty much public, you give it out to people all the time. It’s no different to giving your physical address, it allows someone to link you to a location, but your house is there anyway if someone walks down the road and wants to break in.
No, that is not the point of that website. The point of HIBP is to inform you when accounts have been compromised in the past and highlight why you need to use seperate passwords for each site. You seem to be worries about attacks called Credential Stuffing and that attack is completely useless with a different password per site.
The site creator and owner Troy Hunt is a national treasure and you can check him out online to see his ethos about security.
Yeah absolutely they can if you’re using poor online security. The most common would be through reused passwords since websites have breaches all the time. This can easily be mitigated with the help of a password manager and 2fa (stick with totp, passkeys and hardware security keys). The second most likely method would be through phishing schemes, where a realistic looking message from a website/app is sent to you and you input your account credentials. AI is also making this much more difficult since realistic sounding voices of loved ones can be used to trick you into sending over your account credentials but that would be more of a targetted attack. You really just need to be aware of what you’re doing, not click on links unless you were expecting them, and double check identifying information from the sender to protect yourself from this. The last method is really a targetted attack and thats social engineering. This is where a scammer calls in to support pretending to be you, with personal information most likely from online breaches, in hopes of gaining your account credentials. You would just really need to rely on your 2fa and the training of support reps to protect you from this. Mostly common with phone carriers so make sure 2fa is enabled there.
Technically it is possible yes but this question is both too specific and too vague to give a proper answer i feel.
A hacker could be exploiting security vulnerabilities in the software/website or employing phishing techniques to trick you into giving access. This way they don’t need a password or virus.
Its also possible that a chunk of your account data got leaked and they have that data rather then full access.
Is there more context to this story?
yes, there is more context. the original post was talking about services i use, for example, if i used facebook and my browser didn’t delete cookies or history, can it give access to hackers to my account??
History and cookies are not generally a security vulnerability. Cookies can be a vulnerability but only if the hacker gets access to your device somehow, either by stealing it or through a virus for example. You don’t really have to worry about cookies or history for security reasons, only privacy reasons.
Two-factor authentication (2FA) is usually a good thing to enable in order to make it more difficult for an unauthorised person to login to your account remotely, as they will need that second authentication to be able to login.
Unless someone has access to your computer, then cookies & history don’t really matter. However, if you login to facebook, and then leave your computer open for 10mins, someone could open up facebook again and you would likely still be logged in. If that’s a scenario you’re worried about, then you could erase all your browsing session data to ensure that you’re effectively logged out everywhere.
Edit: below 2 links are also good to check if your email and/or your passwords have been leaked as part of a breach. Before using them, I would do a bit of research on the site to make sure you trust it. Always be sceptical with sensitive info!
ok thank you very much!!
Yes
Unless you’re talking about local accounts, remote accounts are inherently remote by definition and additional attack vectors apply.
I heard about a dude who can enter anyone’s Discord in minutes. this information jumped 3 times until getting to me basically. So idk how true it is.
There’s always packet sniffing but the person would have to have access to the network
Yes - “session hijacking”
Session jacking usually requires a virus of some sort. They need local access to the computer at a minimum.
Eh, compromising the website in some way with XSS can retrieve this information also.
Sketchy browser plugins have been a popular method recently.
That would be considered a virus.
It would be considered malware but not technically a virus.
Most people consider any sort of “thing installed or running on my computer against my knowledge doing bad stuff” to be a virus.
That’s why the OP said “installing any virus in my computer”
A virus is specifically malware that automatically spreads to other devices. It’s similar to a worm. They tend to spread surreptitiously using vulnerabilities or design flaws. To me that’s quite different than installing a shady browser plugin, and imo it’s better to use the term malware to make it clear privacy violating browser extensions are something people unfortunately choose to install, unlike a virus.
A lot of the shady browser extensions don’t start shady, they get bought from the original creators and updated into something malicious.
Either way, your average non-technical person couldn’t tell you the difference, so it hardly matters.
how can i avoid that to happen?? do i delete cookies and history every time i leave my browser?? thank you!!
Make sure you keep your software (operating system, browser etc) up to date and don’t install sketchy software.
Install a reputable add blocker on your browser as that can help.
ok thank you!! i only install open source software or software that is known to be secure.
While a good mentality to have it is not practical.
Unless you audit every open source project you use, how do you know it is safe? Look up HeartBleed a disastrous security hole is the most popular open source security package that went unknown for years. And how do you know closed source is secure? Look at MS, Apple,Alassin all major closed source orgs that have released patches for critical vulnerabilities.
Your saving grace is unless you are working for a high profile company in a sensitive area there is little chance you will be directly targeted. The only time you get targeted is when bad actors do a scattergun approach and sees who responds.
Yeah , I am very well good in accessing accounts mostly social media accounts although there are different methods we work with in regards to access an account,it all depends on how tight the security is .
I won’t ask to teach me, caz why would you. But can I ask where do you learn these skills? Your the 3rd guy I know that exists and can do this.