Computer techniques

Session Hijacking: It’s More Dangerous Than You Think

15/04/2026 /

I learned the hard way that even the strongest security measures can fail.

Last Friday, just before a long holiday weekend, I was up later than usual, unwinding with some YouTube videos. Suddenly, a notification popped up: a password reset request for my LinkedIn account. I didn’t think much of it; my Gmail address is old, and it has been leaked in numerous data breaches over the years. I felt secure, confident in my complex passwords, SMS OTPs, authenticator apps, and passkeys.

I was wrong.

The Attack Escalates

The hacker began targeting my Reddit and gaming accounts. Then, the real alarm bells rang. I received an OTP email from my airline’s Frequent Flyer Program (FFP). At first, I mistook it for another reset request, but within two minutes, the email vanished from my inbox.

Someone wasn’t just trying to get into my accounts; they were already inside my Gmail, deleting evidence in real-time. I rushed to my laptop, my heart racing. Five minutes later, the “horror email” arrived: my airline FFP account had been compromised, and the login email and phone number had been changed.

Finding the Source

With shaking hands, I checked my active Google sessions. There it was: an unauthorized session originating from the UK. I terminated it immediately and changed my password. To my frustration, I realized Google doesn’t offer a simple “sign out of all locations” button that works instantaneously across all services.

After hours of frantic damage control and endless wait times with airline customer service, I finally had a moment to investigate the “how.”

The “How”: A Stolen Session

The hacker bypassed my MFA because they didn’t need my password—they had my session token. My logs showed that this specific session had been active since 2022. I had no idea it existed.

The culprit? Likely malware combined with my own habits. I frequently left my Gmail signed in on various devices, including my home PC and workplace computer, for convenience. The hacker found my airline password because I had accidentally saved it to Google Password Manager instead of my usual vault, Bitwarden.

Lessons Learned and Self-Reflection

I barely slept that night as the attacks continued on my minor accounts. Fortunately, I secured my primary assets in time, leaving the airline account as the only major casualty. Here is what I’ve learned:

  1. Never underestimate session hijacking: It bypasses every layer of MFA because the system thinks you are already logged in.
  2. Beware of single points of failure: Linked accounts and federated logins are convenient, but if one falls, they all fall.
  3. Sign out: I now sign out of my accounts when not in use, even on “trusted” devices.
  4. Isolate your security: I now use a dedicated Gmail account solely for security and recovery, never signing into it on secondary devices. Only my everyday Gmail account will be used on any devices.
  5. Habits over software: While EDR and anti-malware are essential, malware evolves faster than signatures. Your digital hygiene is your best defense.

To combat this exact threat, Google is developing Device Bound Session Credentials (DBSC). This technology is quite new and aims to make session hijacking significantly harder by cryptographically binding the session token to a specific piece of hardware (like a computer’s TPM chip). Unlike traditional cookies, which can be stolen and used on any hacker’s laptop, a DBSC token is useless if moved to another device. For the system to authorize a request, the “key” must remain physically on the original device. This is currently a burgeoning web standard; while Google has begun pushing support in Chrome 146, it requires both browser support and website adoption to be effective. Once widely adopted, it could effectively end the era of simple cookie-theft attacks.

Will DBSC completely eliminate the threat of session hijacking? The short answer is no. While DBSC prevents a hacker from exporting your session to a different machine, it cannot stop a hacker who has already compromised your device. If malware is running on your system, the attacker can simply “remote control” your active, authenticated browser to steal your assets directly from the source. DBSC makes the hacker’s job harder, but it isn’t a silver bullet; your digital hygiene remains your best defense.