PayPal

PayPal has filed a patent application for a novel method that can identify when "super-cookie" is stolen, which could improve the cookie-based authentication mechanism and limit account takeover attacks.

The risk that PayPal wants to address is that of hackers stealing cookies containing authentication tokens to log into victim accounts without the need for valid credentials and bypassing two-factor authentication (2FA).

"The theft of cookies is a sophisticated form of cyberattack, where an attacker steals or copies cookies from a victim's computer onto the attacker's web browser," PayPal says in the patent application.

"With stolen cookies often containing hashed passwords, the attacker can use a web browser on the attacker's computer to impersonate the user (or authenticated device thereof) and gain access to secure information associated with the user's account without having to manually login or provide authentication credentials," it is further explained.

System details

Unlike standard cookies stored locally, super-cookies (also referred to as "Flash cookies") are Local Shared Objects (LSOs) that are injected at the network level as unique identifier headers (UIDH) by the user's internet service provider (ISP).

These super-cookies are used primarily for cross-site tracking, following users across different browsers on the same device, collecting data on browsing activity, and serving as persistent "device fingerprints."

Super-cookies are more difficult to detect and wipe because they are not stored in the browser's standard cookie storage location.

Various types of supercookies
Examples of supercookies (TechTarget)

PayPal's engineers have identified a method to calculate a fraud risk score in the cookie-based authentication mechanism to identify fraudulent login attempts on the electronic payments platform.

When a system receives a request for authentication from a user's device, it identifies the various cookie storage locations on the device and sorts them "in order of increasing fraud risk."

"A cookie value for each storage location is retrieved from the device. For each storage location after the first: an expected cookie value is calculated based on the cookie value of a preceding storage location," reads the abstract of the patent application.

PayPal's system then assesses a risk score by comparing the expected cookie values with the values assigned for the device's storage locations.

"The authentication request is processed based on whether the assigned score for at least one of the storage locations exceeds a predetermined risk tolerance for fraud detection." 

System logic
System logic (uspto.gov)

Based on the risk assessment, the system manages the authentication requests accordingly, accepting, rejecting, or activating additional security measures for the approval of the login attempt.

To ensure safety against tampering, the retrieved cookie values are encrypted using a public key cryptographic algorithm.

Value encryption and comparison steps
Value encryption and comparison process (uspto.gov)

PayPal's patent describes a method that aims to defend against cyberattacks by ensuring that cookies are used legitimately during the authentication process.

The electronic payments giant filed the patent titled "Super-Cookie Identification for Stolen Cookie Detection" in July 2022, and it was published by the United States Patent and Trademark Office earlier this month.

As with all patents, there's no guarantee that the tech described in the document will reach consumer portals, in that form or another, but it shows that stolen web cookies for unauthorized logins are enough of a problem to deserve new protection mechanisms.

Related Articles:

Malware abuses Google OAuth endpoint to ‘revive’ cookies, hijack accounts

Citrix, Sophos software impacted by 2024 leap year bugs

U-Haul says hacker accessed customer records using stolen creds

VoltSchemer attacks use wireless chargers to inject voice commands, fry phones

Ongoing Microsoft Azure account hijacking campaign targets executives