$20,000 Bounty: How a Leaked Session Cookie Led to an Account Takeover
Karthikeyan Nagaraj
Introduction: The Risk of Leaked Session Cookies
Session cookies play a critical role in user authentication, allowing users to stay logged in without re-entering credentials. However, if a session cookie is leaked, an attacker can hijack the session and gain full access to the account — a vulnerability known as session hijacking.
In this case, a Security Analyst accidentally leaked their own active session cookie while responding to a bug bounty report. This allowed a hacker to access their account, exposing sensitive reports and program data.
This security lapse resulted in a $20,000 bug bounty payout and led to several security improvements. Let’s dive into how this attack happened and how to prevent similar incidents.
1️⃣ What is Session Hijacking?
Session hijacking occurs when an attacker steals an active session cookie and reuses it to gain access to an authenticated session without needing login credentials.
🔹 How session cookies work:
When a user logs in, the server creates a session ID and stores it in a cookie.
The browser sends this cookie with every request, maintaining authentication.
If an attacker gets the cookie, they can use it to impersonate the user.
2️⃣ How the Security Analyst Leaked Their Session Cookie
🔴 The Mistake:
A Security Analyst was triaging a report and tried to reproduce the reported vulnerability.
While debugging, they copied an HTTP request from their browser’s developer console.
This request contained their active session cookie.
The analyst accidentally included the request in their response to the hacker.
Subscribe to my newsletter
Read articles from Karthikeyan Nagaraj directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by