Cookie Theft
Stealing browser cookies that contain session tokens or saved credentials, enabling attackers to access accounts or track browsing without needing passwords.
Also known as: cookie stealing, session cookie theft, browser cookie theft
Last reviewed: 1 June 2026
Browser cookies store various data including session authentication tokens, preferences, and sometimes saved form data. Cookie theft focuses specifically on extracting these files or their values to hijack accounts or conduct surveillance.
Attack vectors include cross-site scripting (XSS) where malicious JavaScript reads document.cookie and exfiltrates the data; malware with browser credential-stealer modules (known as 'infostealers'); and man-in-the-middle attacks that intercept Set-Cookie headers. Infostealer malware — commonly distributed through fake software cracks, malicious email attachments, or malvertising — is particularly effective at bulk cookie theft because it targets all saved sessions simultaneously and sends them to attacker-controlled servers.
The market for stolen cookies is active on cybercriminal forums: buyers purchase 'logs' (sets of cookies plus metadata) from infected machines and use them to access the victim's banking, email, or social accounts. Even accounts protected by two-factor authentication can be bypassed if an attacker has a post-login session cookie.
Examples
- Infostealer malware installed via a pirated game collects all browser cookies and transmits them to a criminal marketplace.
- An XSS vulnerability in a forum allows an attacker to steal session cookies from visitors, bypassing their two-factor authentication.