A new report from Kaspersky Lab, a global leader in digital security, has revealed that 87 % of websites surveyed display cookie consent notifications to visitors. However, the majority of users remain unaware of the potential risks posed by these small text files, commonly known as “cookies.”
Cookies are designed to improve website functionality by storing user preferences, login information, and browsing activity. Yet, according to Kaspersky experts, they can also become targets for cyberattacks, leading to serious consequences for both individuals and organisations.
Session Hijacking Risks
One of the most prominent threats highlighted in the report is session hijacking, in which attackers steal a user’s session identifier to gain unauthorised access to accounts. This can allow criminals to access sensitive information or even impersonate victims to conduct fraudulent transactions.
Cookies may store a wide range of data, from browsing preferences and login credentials to payment details and phone numbers. Hackers can intercept session identifiers through public Wi-Fi networks, unsecured websites using HTTP instead of HTTPS, or by exploiting vulnerabilities such as cross-site scripting (XSS). In some cases, attackers use session fixation, tricking victims into using a pre-determined session ID to later infiltrate their accounts.
The implications of session hijacking are severe, ranging from privacy violations and financial losses to identity theft and reputational damage. For example, compromised accounts can be exploited to send fraudulent messages, spread malicious content, or perform unauthorised transactions.
Natalia Zakoskina, Web Content Analysis Expert at Kaspersky, explained:
“Cookies are fundamental to smooth online experiences, offering personalised settings and simplified logins. But without proper safeguards, they become attractive targets for cybercriminals. By exploiting session identifiers, attackers can compromise accounts, steal sensitive data, and manipulate web interactions. Developers must prioritise security measures, while users should take proactive steps to protect their digital footprint.”
Recommended Protective Measures
In response to these risks, Kaspersky has issued key recommendations for both users and developers:
For users:
Avoid entering sensitive information on websites that rely on the unsecured HTTP protocol.
Refrain from sharing personal data over public Wi-Fi unless connected through a virtual private network (VPN).
Limit cookie permissions to the minimum required, and regularly delete stored cookies and browser cache.
Enable two-factor authentication, steer clear of suspicious links, and clear browser data frequently.
For developers:
Ensure all websites adopt HTTPS protocols.
Implement “HTTP Only” and “Secure” cookie flags.
Apply cross-site request forgery (CSRF) protections.
Generate session IDs using strong encryption-based algorithms.
Kaspersky emphasised that stronger cookie management policies are vital, particularly in light of global regulations such as the General Data Protection Regulation (GDPR), which requires transparency in data collection and storage.
