Two security researchers claim to have developed a new attack that can decrypt session cookies from
HTTPS (Hypertext Transfer Protocol Secure) connections.
Websites use session cookies to remember authenticated users. If an attacker gains access to a user's session cookie while the user is still authenticated to a website, the hacker could use it to access the user's account on that website.
HTTPS should prevent this type of session hijacking because it encrypts session cookies while in transit or when stored in the browser. However, the new attack, devised by security researchers Juliano Rizzo and Thai Duong, is able to decrypt them.
