Facebook Cookie stealing and session hijacking python code


Almost everyone knows here what a cookie is. If you don’t know, let me give a quick and brief introduction of this word called ‘cookies’.

What are cookies?

A cookie is a piece of information in the form of a very small text file that is placed on an internet user’s hard drive. Cookies are created when a user’s browser loads a particular website. The website sends information to the browser which then creates a text file.  

Login information is also stored in a cookie so the user can enter and leave the website without having to re-enter the same authentication information over and over. so, basically when you login into facebook or any other website, it sends a piece of cookie to you so that yo do not have to enter the password again and again.

There are generally two types of cookies:

1.Session cookie

These are temporary cookie files, which are erased when you close your browser. When you restart your browser and go back to the site that created the cookie, the website will not recognize you. The cookies are destroyed or removed when you leave that website.

2.Persistent cookie

These files stay in one of your browser’s subfolders until you delete them manually or your browser deletes them based on the duration period contained within the persistent cookie’s file. For eg: When you check that little remember me box and then login to facebook, facebook login cookies are stored in the browser’s cookie database. After closing the browser, when you open it again you will see that you are automatically logged in.

What’s the problem then?

So, if you steal the cookies and inject it into your browser you can access the victim’s account without entering the login info. Everybody’s knows that and there are many ways to that in your local network and there are also some cookie stealer malwares. If the cookies are not encrypted you can easily capture them using wireshark or some other network monitoring tool in your local network and there are a lot of tutorials available on the web to do that. The problem with old techniques is that when the victim clicks on logout, attacker’s session also gets ended.

The Hack

facebook stores it’s login session information in 3 cookies:

>  c_user(victim’s user id)

> datr

> xs

Now. .after logging into facebook, anyone can easily view their cookies as seen in the screenshot below.

To view your cookies in firefox, goto tools>options>privacy>remove cookies

facebook cookie

facebook cookies


You can add or edit any cookie in your browser with a cookie manager. Download Cookies Manager+ addon for firefox and then you can inject any cookie into your browser. Here is a screenshot.

Injecting cookies through Cookie Manage addon

Injecting cookies through Cookie Manager addon in firefox


These are the cookies we are talking about. Now the trick is if we steal the cookie somehow and then also remove it from the browser’s cookie DB then the victim will never be able to end that particular session and then we will be able to access the victim’s account till the victim changes his password or he ends all his session from the settings tab in facebook which one rarely does.

Sounds cool. .but how are we going to steal the cookie? facebook is not vulnerable to XSS attacks so we can’t get the cookie easily by using the traditional methods of sending a malicious javascript encoded link to the victim. Therefore I decided to code a malware which will automate the whole process. Firefox stores it’s cookies in cookies.sqlite database in it’s profile folder.

Here is the path to firefox’s cookie folder:

C:\Users\<user name>\AppData\Roaming\Mozilla\Firefox\Profiles\<some random folder name>\cookies.sqlite

Now, what the malware does:

1. Finds the path to the cookie database and kills the firefox process.

2. Opens the sqlite database file and steal the cookie values from there.

3. Removes all the facebook cookies from the DB. [The main part]

4. Sends the cookie data to the attacker.

Now the victim will not be able to end his session as the cookies are now deleted from the browser’s database and the attacker can continue to use it even if the victim clicks on logout button.

Note: This is not a full fledged malware code, It’s just a demo to show how easily someone can hack into your account. You can code it in your own language of choice and make it more advanced and stealth. Still, it’s antivirus detection ratio is 0 or say it’s FUD because it does not contain any virus signatures nor does it perform any such malicious activity which the antivirus can find malicious.

The code is written in python you can make changes and convert it into a single executable by using pyInstaller module. It sends the data back to the attacker using a PHP code hosted on a website. It’s a simple cookie logger php script which I have included. You can also edit the code to send the data back in a different way.

Full code and instruction can be found here for both windows and linux : https://github.com/rash2kool/cookie_stealer

After running the executable or with a single double click the cookie data is silently logged into a file.

Note: It only works if the user has selected remember me and is also currently login into his facebook account from firefox web browser.


Cookie logs


Benefits of session hijacking 

1. Bypass location restriction: Many websites store your last login location and if you open your account from a different location then it will block you from accessing the account unless you answer the security question or any other sort of checking. Using this, you can easily bypass that and the website will never block you even if you inject those cookies on the other part of the globe.

2. No login notification sent: If the user gets somekind of login notification each time he logs in, he will never get that notification since no login was actually done.

What about other sites then?

well. .many of them can be hacked using similar trick if the website allows the user to browse simultaneously on different sessions!

Many don’t even care to expire their sessions. Like in yahoo you can continue using the cookie value for at least 24 hours and if you will refresh the victim’s page once in 24 hours, you can continue using that cookie for lifetime. Hotmail and Live can also be hacked using this trick. I will soon publish a different article about that.

 I hope Mozilla guys are now going to encrypt their cookies in their next version as chrome did  🙂  😉

  1. srajan
    • admin

Leave a Reply

Your email address will not be published. Required fields are marked *