Mohammedia – Two-factor authentication has long been sold as a strong safety net for online accounts. The idea is simple: even if someone steals your password, they still can’t log in without a second code sent to your phone or generated by an app.
For many users, that extra step feels like a guarantee of safety. But cybersecurity researchers are now warning that hackers have found a way around it — and the trick is almost impossible to notice.
The method doesn’t rely on guessing codes or breaking into phones. Instead, attackers are targeting something most users never think about: session cookies.
These are small files saved by your browser after you log in. They tell a website, “Yes, this person is already verified.” If a hacker gets hold of that cookie, they don’t need your password or your two-factor code anymore.
Security researchers say this type of attack is becoming more common, thanks to a phishing tool called Evilginx. It allows hackers to quietly slip between a user and the real website they are trying to access, without raising suspicion.
How the attack works without raising alarms
The attack usually starts with a link. It can arrive by email, text message, or social media, and it leads to what looks like a normal login page for a bank, email service, or social network. The design is familiar, the address looks convincing, and the browser even shows the HTTPS lock icon.
When the user enters their username and password, the fake page sends that information to the real website in real time. The legitimate site then asks for the second authentication code. The user receives the code, enters it, and successfully logs in — or so it seems.
Behind the scenes, the hacker’s server captures the session cookie created at that moment. This cookie proves to the website that the user has already passed all security checks. The attacker copies it and sends the user on their way, fully logged in and unaware anything is wrong.
With that stolen cookie, hackers can open the account in their own browser as if they were the owner. They don’t need the password again. They don’t need a new code.
They can read emails, change account settings, access personal data, or even move money, depending on the service. This access lasts until the session expires or is manually cut off.
What makes this attack especially dangerous is how invisible it is. Nothing looks broken. No warning appears. Many victims only find out days later, after noticing strange activity or getting an alert from their bank or email provider.
Experts say there are ways to reduce the risk. Users should be extremely cautious with unexpected links and always double-check website addresses before logging in.
More secure options, like physical security keys, offer better protection against phishing. If there’s any suspicion of a breach, logging out of all active sessions can instantly block attackers by invalidating stolen cookies.
Online security has become a moving target — and hackers are learning how to slip through the gaps without being seen.
Read also: Cybersecurity in 2026: The 10 Biggest Digital Threats on the Horizon