Keeping your devices and browser(s) clear of junk
Your browser holds a lot of data about what websites you visit. If someone were to get a hold of the data, they could do a lot or a little depending on how your browser is setup.
Or the attacker might also get things like the websites you are logged in to, cookies, and the session tokens. This method of attack targeted Linus Tech Tips, a popular YouTube channel about computer-related videos. I got the idea to write about this from his video, and is one thing I try to keep in my conscious mind. The video going over the attack on Linus is here.
Rob Colbert's thoughts
Rob Colbert wrote a high-level explanation of this, which begins below. I give my recommendations below this.
I was asked on Gab if I can read the data in a cookie if I get my hands on that cookie. The short answer is: Cookies don't often "store" data within them. They instead grant access to data if you know how to fetch it using the cookie as the "key" it is to unlock access to it.
See, a cookie is basically just a piece of text that, when correctly submitted to an issuing service (the thing that gave you the cookie) will grant me access to: You. It is possible to store data that can be read by the user agent ("browser"), but it's more common to keep the data within the service and only put an "ID" in the cookie.
The service accepting that cookie to represent your login session uses that ID as a literal key to look up your active session record - which is why the ID is not (commonly) your User ID, and pull your session data into memory. And this is why everything from law enforcement to "hackers" don't care about your VPN. They want your cookies.
Because that session data unlocked by the cookie commonly contains a User record, or at least parts of it, or at the very least the User ID required to fetch the User record (using very generic terms here). And that's the tasty stuff. Because with it? The attacker is you. They can do the things you can do.
Cookies contain a Session ID, not User ID. This is because one User can have many open Sessions, and each Session will have its own data specific to that session on that device. That Session ID is used to look up the User. And the User is what the attacker wants.
So attackers want those cookies. And they do some pretty clever things to get them. This is where you maybe get some mental image of the Hollywood Hacker clacking on the keyboard, but it's actually a lot easier than that.
Ironically, there's an app for that.
Socially-Engineered Software Installs
All these attackers have to do is brand their services a certain way as an "app" in the stores to attract specific unsuspecting users. And they'll get bags of them.
They package their apps as many different apps with different branding, a different name and logo... all to attract diverse user groups... into common aggregated spy pits.
Now, they can spy on those unsuspecting/over-trusting people while using their devices for their own and often malicious purposes such as DDoS attacks, identity theft, "scams" (your computer has a virus! call this number now for help!), cryptocurrency theft, and more.
Beyond that, depending on the device, how it works, and its capabilities, they won't just know your IP address. Their VPN would be giving them that even if your device can't. But I need you to imagine what an attacker can get if they have (sometimes privileged) compiled code running on your device(s). Because this is (commonly) how they are getting your session cookies.
It has nothing to do with public WiFi or any of that. You installed their app. Now, it has your whole device to whatever level of permissions were granted (perhaps by you) during the installation of said app. Whoops!
See, one of the most effective modern ways to harvest session cookies from people is through having an unsuspecting person install a malicious app such as:
- Free VPN!
- Free Game!
- Make It Run Faster!
- Make It More Secure (LOL)!
on their devices and especially on PCs. Because on a PC, Mac, and yes even Linux or similar, the malicious "VPN" or whatever will just go TAKE your session cookies right out of your browser's storage.
And it will probably do that with administrative or superuser/root privileges that were granted during the install by accepting a dialog box the unsuspecting/over-trusting user dismissed with a Yes or OK or Proceed. Because it's a VPN, right? That's like...good security stuff, right? [permission granted].
And yes: Attackers absolutely do go through all that effort to get your session cookies by any means necessary. They absolutely do create malicious VPN software, package and brand it to be appealing to political dissidents, crypto bros, and even for drug, gun, and human traffickers. Because that VPN is the most private VPN, doesn't store server logs, and doesn't hand its data over to law enforcement. Yep.
And (sarcasm) that's always because they aren't themselves criminal at all. Nope.
So just (sarcasm) install the VPN, accept the terms, conditions, and permissions, and enjoy that enhanced privacy and security it "provides"
Best Advice I Can Give
If you work in a corporate office, and if that office's network tends to work and the computers are perfect more often than they are "fucked up" then please simply use only what their IT department recommends. It's just very likely that they've done their homework to ensure you'll have the expected experience...and no other experience.
If you are trying to pick your own off-the-shelf or free VPN? Please stop. Just learn to use your computer wisely, trust your gut if it's telling you, "This seems shady," and stop.
I have never recommended a VPN to consumers for home use, and I won't start. I don't offer a VPN service. I also don't use them. What I recommend instead is just learning more about how your computer and the Web itself work, and how to avoid the traps attackers set.
A really good policy is: Minimize the different number of online services you even use. I don't mean at one time...I mean period. Cutting the cunty apps out of your life does a bunch of beneficial things:
- You no longer worry: Is it spying on me?
- You no longer owe it money
- It no longer has the ability to commit identity theft on you
- It no longer has the ability to steal your session cookies
- It no longer has the opportunity to mine the data you won't be sending anymore
- It can't use your device for its own purposes
- It can't drain your battery or blow up your GPU by mining crypto
- You'll get FAR fewer notifications and SMS
- The people in IT everywhere will thank you
- It's actually free/zero-cost to delete shit!!
Sometimes, using a computer is exactly like driving a car with your family in it. There are decisions you can make and basic rules you can follow to help ensure that everyone stays as safe as possible. Please compute responsibly.
- I recommend practicing browser isolation, which is the practice of separating your browsing of different sites to different browsers. For example, browse work sites in FireFox and social sites in another browser such as Google Chrome.
- Use private/incognito browsing for banking and other important accounts. If on desktop, LibreWolf provides private browsing out-of-the-box.
- A browser extension I use to delete cookies and site data automatically is Cookie AutoDelete. The links to the extension are below.
- Follow Rob's advice above.