Attack Techniques
What Is Pass-the-Cookie?
Pass-the-Cookie (PTC), also known as session token compromise or cookie hijacking, is a cyberattack technique in which adversaries steal web session cookies or authentication tokens from compromised systems and reuse them to impersonate legitimate users without needing credentials or bypassing MFA.
Pass-the-Cookie (PTC), also known as session token compromise or cookie hijacking, is a cyberattack technique in which adversaries steal web session cookies or authentication tokens from compromised systems and reuse them to impersonate legitimate users without needing credentials or bypassing MFA. Once authenticated, users receive session tokens stored as cookies that grant access to applications for extended periods without re-authentication. Attackers steal these tokens through malware, browser extensions, network interception, or credential compromise, then use them on different devices to maintain unauthorized access to cloud applications, data, and services, according to Netwrix, Obsidian Security, Varonis, and MixMode AI research published in 2025.
PTC represents a fundamental shift in account takeover attacks: rather than targeting identity provider (IdP) authentication, modern attacks target the authenticated session tokens in individual SaaS applications. This exploits a critical gap in security architecture: MFA protects the authentication moment, not the session that follows.
How does pass-the-cookie work?
Pass-the-cookie attacks follow a multi-stage process that combines initial compromise, token theft, anti-detection techniques, and unauthorized access.
Stage 1: Initial compromise occurs when attackers obtain authentication cookies or session tokens through multiple vectors. Infostealer malware like Redline, Emotet, and Aurora Stealer exfiltrates browser session cookies from the infected device. Malicious browser extensions with code injection capabilities steal cookies from active tabs. After gaining credentials through phishing, attackers log in legitimately then steal the resulting session cookie. Unencrypted network traffic captured over HTTP exposes cookies, though this is rare for modern apps but legacy systems remain vulnerable. Compromised SaaS vendors provide access to cookies stored on that platform. Compromised developer tools or build pipelines leak authentication tokens stored in CI/CD systems.
Google's Threat Analysis Group documented cookie theft campaigns targeting content creators through fake collaboration tools offering malware downloads that steal cookies, published in 2025.
Stage 2: Cookie packaging and sale occurs when stolen cookies are packaged with additional data for sale on dark web marketplaces including session cookie value, device fingerprint data covering user agent, screen resolution, browser extensions, and installed fonts, IP address and geolocation associated with the cookie, account metadata including username, email, and associated accounts, and expiration timestamp of the session.
A single credential with cookies for multiple SaaS applications including Gmail, Office 365, Slack, and GitHub sells for $50-$500 depending on account value, according to Obsidian Security and Varonis research.
Stage 3: Token reuse with anti-detect browsers enables attackers to use crimeware tools called "anti-detect browsers" to impersonate the original device. Anti-detect browser software clones the device fingerprint including OS version, browser version, installed extensions, screen resolution, timezone, and language. Attacker sets browser to proxy through the same IP address or geographic region as the original session. Attacker injects the stolen session cookie into the browser. The session appears to originate from the original device/user, evading anomaly detection systems. Attacker accesses the application without triggering MFA or re-authentication.
This technique bypasses session validation systems that check IP address matching, device fingerprint consistency, browser/OS type matching, and geographic consistency, according to Obsidian Security and Varonis.
Stage 4: Unauthorized access and lateral movement proceeds once inside an authenticated session. The attacker accesses all data the compromised user is authorized to retrieve including emails, files, and credentials. The attacker modifies account settings to establish persistence through backup email address, phone number, and recovery codes. The attacker performs lateral movement using compromised account to access other systems linked to the user's email. The attacker exfiltrates sensitive data including customer data, source code, financial information, and trade secrets. The attacker establishes backdoor access for future exploitation.
Real-world incident documented by Obsidian: Attacker authenticated to Okta with MFA from IP 162.XXX.XXX.XXX representing legitimate user location, but the resulting Office 365 session suddenly originated from 67.2XX.XXX.XXX representing a TOR Guard VPN service, suggesting stolen session token reuse.
Once obtained, session cookies grant access to all data the user is authorized to retrieve without triggering MFA. MFA only protects the initial authentication moment, not the session window that follows, according to Obsidian Security. Unlike OTP codes with 30-120 second validity, session cookies often remain valid for short-lived tokens of 1-8 hours for enterprise SaaS like Okta and Microsoft, standard tokens of 8 hours to 1 day for Gmail and Slack, and long-lived tokens of weeks to months for remember-me cookies and refresh tokens.
This extended window provides attackers a larger operational timeframe. A single stolen session cookie can be used from any device, any location, and any IP address if the attacker uses anti-detect browser spoofing, making geographic anomaly detection ineffective. In 2025, Google stated that cookie and authentication token theft has risen rapidly and intensified, which is why major tech companies like Google have pushed defenses like Device Bound Session Credentials (DBSC), according to Google research.
How does pass-the-cookie differ from other authentication attacks?
Pass-the-cookie employs distinct attack mechanisms and characteristics compared to other authentication compromise techniques.
Factor | Pass-the-Cookie | MFA Fatigue | SIM Swapping | AiTM Phishing |
|---|---|---|---|---|
Requires user interaction | No | Yes | No | No |
Targets authentication moment | No (targets post-auth) | Yes | Yes | Yes |
Valid without re-authentication | Yes | No (compromise needed) | No (password reset needed) | No (one-time use) |
Session duration | Hours-months | Single login | Single login | Single login |
Requires initial compromise | Yes | Yes | Yes (social eng) | No (phishing only) |
Detection difficulty | High | Medium | High | High |
Technical sophistication | Medium-high | Low | Low-medium | High |
Cost to attacker | Medium ($50-$500) | Low ($10-$50) | Medium (time-intensive) | Medium |
Timeline to data access | Immediate | Minutes | Hours | Minutes |
Reversibility | Difficult (token must expire) | Partial | Difficult | Immediate |
Prevention by FIDO2 | Partial (prevents initial auth but not cookie theft) | Yes | Yes | Yes |
Ideal for | Long-term persistent access without credentials; evading all authentication controls | Low-budget attacks exploiting weak rate limiting | High-value targeted attacks on SMS-based accounts | Real-time MFA bypass at scale with proxy infrastructure |
MFA fatigue, SIM swapping, and AiTM phishing all target the authentication moment when credentials and second factors are verified. Pass-the-cookie operates entirely post-authentication, stealing tokens after successful authentication has already occurred.
The session duration advantage enables attackers to maintain access for hours to months compared to single-session compromises from other attacks. However, pass-the-cookie requires initial system compromise through malware or network access, while AiTM phishing operates without requiring device compromise.
Why does pass-the-cookie matter?
The rise of pass-the-cookie attacks challenges fundamental assumptions about session security and MFA effectiveness.
Google publicly stated in 2025 that cookie and authentication token theft has risen rapidly and intensified, prompting the company to develop and promote Device Bound Session Credentials (DBSC) to make stolen cookies harder to reuse from another device. This indicates cookie-based attacks are now a primary concern for major cloud providers, according to Google research.
Google's Threat Analysis Group documented cookie theft campaigns targeting content creators through fake collaboration offers and malware downloads in 2025. Once victims run the fake software, malware steals cookies and uploads them to attacker-controlled servers. Hijacked accounts are often used for crypto-scam live streams, with attackers impersonating the creator to solicit donations and investments.
Varonis and MixMode AI documented "Cookie-Bite" as an emerging incident class where stolen cookies enable MFA bypass and extended access to cloud environments, with examples from 2024-2025 demonstrating attackers maintaining access weeks after initial compromise using only stolen session tokens.
Infostealer malware designed to exfiltrate browser cookies is among the most distributed malware families in 2025, with tens of thousands of infections monthly. The stolen credentials including cookies are routinely sold in underground markets, according to Obsidian Security.
Commercial anti-detect browser tools specifically designed to spoof device fingerprints and reuse stolen cookies are widely available in underground markets and increasingly advertised in public forums, indicating mainstream criminal adoption of the technique.
Most organizations do not synchronize application-level session timeouts with IdP session timeouts. If IdP session expires but application session remains valid, stolen application tokens continue to grant access even after the user's "official" session ends, according to Obsidian Security.
What are the limitations of pass-the-cookie attacks?
Despite their effectiveness, pass-the-cookie attacks face technical and operational constraints that limit universal applicability.
Device Bound Session Credentials (DBSC) represent the most significant limitation. Google, Apple, and major security vendors are implementing DBSC, which binds session tokens cryptographically to the device that created them. Stolen cookies cannot be used on different devices even if device fingerprinting is spoofed, because the token is invalid on non-original devices. This represents a fundamental defense against pass-the-cookie attacks, according to Google research published in 2025.
Short-lived tokens with 5-15 minute validity combined with automatic refresh token rotation limit the exploitability window for stolen tokens. Stolen tokens expire quickly, limiting attacker time. However, most organizations still use 1-8 hour session windows, according to Obsidian Security.
Session logout on password change should invalidate all active session tokens when a user changes their password. However, organizations often fail to synchronize this across all applications, leaving stolen tokens valid even after password change. If implemented correctly, password rotation immediately invalidates stolen cookies.
Behavioral analytics detection enables organizations deploying user behavior analytics to identify unusual session patterns including session originating from different country than historical user location, session from VPN/Tor when user historically accesses directly, unusual file access patterns where attacker downloading bulk data differs from user's typical selective access, and unusual geographic velocity representing impossible travel between two access locations.
This detection requires security tools that correlate identity, network, and behavioral data, according to Obsidian Security and Vectra AI research.
Multi-stage authentication (step-up) requiring re-authentication for sensitive actions including admin portal access, credential changes, and data export can frustrate pass-the-cookie attacks. Even with a valid session token, the attacker cannot access high-value functions without passing step-up authentication, according to Obsidian Security.
Malware detection through endpoint detection and response (EDR) solutions can identify infostealer malware before it exfiltrates cookies, preventing initial compromise. Additionally, browser isolation and containerization limit malware's ability to steal cookies.
Token format constraints make tokens with built-in device binding, expiration timestamps, and cryptographic signatures harder to forge or misuse than simple session IDs. Modern token formats like JWT with HMAC validation are more secure than legacy cookie formats, according to Obsidian Security.
How can organizations defend against pass-the-cookie?
Defense against pass-the-cookie requires implementing controls across session management, endpoint security, monitoring, and incident response.
Implement Device Bound Session Credentials (DBSC) as the primary technical defense. Deploy DBSC technology that cryptographically binds session tokens to the device they were created on. Tokens stolen from Device A cannot be used on Device B, even if the attacker spoofs device fingerprints or uses the same IP address. This directly mitigates pass-the-cookie attacks, according to Google research published in 2025.
Enforce short-lived tokens with automatic refresh rotation by implementing session tokens with 5-15 minute validity instead of 1-8 hours, requiring refresh token rotation where each time a refresh token is used, a new token is issued, and invalidating all refresh tokens when user changes password or enables MFA. This limits the exploitable window for stolen tokens to minutes instead of hours, according to Obsidian Security.
Invalidate sessions on password/MFA changes by implementing system-wide session invalidation when user changes password, invalidating all sessions when MFA is modified, added, or disabled, ensuring invalidation is synchronized across all applications and devices, and providing users visibility into active sessions and ability to remotely log out, according to Obsidian Security and Keepnet Labs research.
Deploy behavioral analytics and anomaly detection systems that identify suspicious session patterns including geographic anomalies representing access from impossible locations, device fingerprint mismatches where same session from different OS/browser, access pattern deviation where attacker's data access patterns differ from user's baseline, VPN/Tor usage by users who don't historically use it, bulk data access or export attempts, and unusual time-of-day access patterns.
Correlate identity logs with network and application logs for holistic detection, according to Obsidian Security and Vectra AI research.
Implement zero trust session validation by implementing continuous session validation rather than single-point-in-time validation at login, requiring re-authentication (step-up) for sensitive operations including admin access, credential changes, and data export, binding sessions to specific networks, devices, or IP address ranges when possible, and implementing transaction signing for financial and sensitive operations, according to Obsidian Security and Keepnet Labs research.
Deploy endpoint detection and response (EDR) to prevent or detect infostealer malware before it exfiltrates browser cookies through behavioral sandboxing to detect credential/cookie exfiltration attempts, memory injection detection to identify malware hooking browser processes, browser isolation to prevent malware from accessing local cookies, and continuous monitoring of browser extensions for malicious behavior, according to Obsidian Security.
Enforce secure cookie configuration by marking all session cookies with HttpOnly flag to prevent JavaScript access mitigating browser-based theft, marking cookies with Secure flag to transmit only over HTTPS preventing unencrypted interception, setting SameSite attribute to Strict to prevent cross-site cookie inclusion, using Domain and Path restrictions to limit cookie scope, and implementing signed/encrypted cookies that validate on each request, according to Obsidian Security and Netwrix research.
Implement session timeout and activity monitoring by implementing idle session timeouts of 5-15 minutes of inactivity, providing users with activity logs showing all authenticated sessions including location, device, and timestamp, enabling users to remotely terminate sessions especially important if they suspect compromise, and alerting users of new session creation from unexpected locations and devices, according to Obsidian Security.
Deploy credential monitoring and dark web intelligence to monitor dark web marketplaces and forums for leaked credentials and cookies, notify users immediately if their credentials or cookies appear in breaches, enable rapid credential rotation when compromise is detected, and track which third-party vendors have access to user credentials and tokens, according to DeepStrike and Expert Insights research.
Use hardware security keys with session binding by recognizing that while FIDO2 prevents initial authentication compromise, it doesn't prevent post-authentication cookie theft. However, FIDO2 combined with short-lived tokens and session binding provides defense-in-depth, according to Obsidian Security.
FAQs
If I use a strong password and MFA, can attackers still compromise my account with pass-the-cookie attacks?
Yes, according to Obsidian Security research published in 2025. Pass-the-cookie attacks completely bypass MFA because they exploit the authenticated session window after MFA has already been passed. Once an attacker obtains your session cookie, they can access your account without needing your password or MFA code. This is why organizations must implement post-authentication security controls like session validation and behavioral analytics.
The attack fundamentally exploits a gap in authentication architecture. MFA verifies identity at login but session cookies grant ongoing access without re-verification. Strong passwords and MFA protect the authentication moment but do not protect the session tokens issued after successful authentication.
Organizations should not view MFA as a complete security solution. Defense-in-depth requires combining MFA with session security controls, endpoint protection, and monitoring.
How long can a stolen session cookie be used?
Duration depends on how the application configures session tokens, according to Obsidian Security research published in 2025. Short-lived tokens last 5-15 minutes if application implements this correctly. Standard tokens last 1-8 hours for most applications today. Long-lived tokens last days to weeks if remember-me cookies are enabled.
Once the token expires, it cannot be reused unless the attacker has also stolen a refresh token which may be valid for weeks. Organizations should implement short-lived tokens and refresh token rotation to limit this window.
Many organizations fail to properly configure session expiration, leaving tokens valid for extended periods. Security teams should audit application session configurations and enforce strict timeout policies.
Can anti-detect browsers really spoof device fingerprints well enough to bypass security systems?
Anti-detect browsers can spoof many device fingerprint signals including OS, browser version, and screen resolution, but they cannot perfectly replicate all signals, especially subtle hardware characteristics like GPU details and installed fonts, behavioral patterns like mouse movement, typing patterns, and time spent on pages, and network characteristics like unusual latency and packet patterns, according to Obsidian Security research.
Organizations using comprehensive behavioral analytics can still detect anomalies. However, many organizations only check basic signals including IP and location, which anti-detect browsers can effectively spoof.
The effectiveness of anti-detect browsers depends on the sophistication of the organization's detection capabilities. Basic IP and location checks are easily bypassed, while advanced behavioral analytics that consider dozens of signals prove more resistant.
If my session token is stolen, will changing my password immediately prevent the attacker from using it?
In well-designed systems, yes, according to Obsidian Security research. Changing your password should invalidate all active session tokens. However, many organizations fail to implement this correctly across all applications, leaving stolen tokens valid even after password change.
Additionally, if the attacker also steals your refresh token not invalidated by password change, they can generate new session tokens. Users should verify that password changes invalidate sessions and should use "logout all devices" features.
Organizations should test session invalidation procedures to ensure password changes and MFA modifications properly terminate all active sessions across all applications.
What is the difference between session hijacking and pass-the-cookie attacks?
Session hijacking is the general category of using stolen or intercepted session credentials, according to Obsidian Security and Netwrix research published in 2025. Pass-the-cookie is a specific type of session hijacking where the attacker steals authentication cookies stored locally on a device or transmitted over network and reuses them.
Both terms often used interchangeably, but PTC specifically emphasizes the cookie/token aspect and typically involves malware, infostealer, or network interception to obtain the cookie. Session hijacking may also refer to other techniques like session fixation or session prediction that don't necessarily involve cookie theft.
