A developer has created a $5 device that can hack into screen-locked Macs and potentially other computers as long as a web browser is left running on the desktop.
Samy Kamkar made a YouTube video showing what happens when his creation hacks into a target computer. Called a "Poison Tap", the device runs on a Raspberry Pi Zero which plugs into a computer's USB port.
Once attached to the locked and password-protected Mac, it hijacks all web traffic by posing as a standard internet connection, after which it sets about siphoning and storing the user's HTTP cookies.
The attacker can then potentially use the stolen cookie data to access websites the user visited and log-in as them without having to enter username and password information.
Speaking to the BBC, Trend Micro security researcher Rik Ferguson said the device was a plausible threat to users who frequently left their computer unattended.
[In normal circumstances] Even when you are not using a web browser it is still making requests and communicating - due to updates or ads. Once the device is plugged in it exploits that communication and steals session cookies from the top one million websites.
Two-step verification would be susceptible to the same attack, explained Ferguson, because the device is able to intercept the cookies and pretend it is already in an open session. The only way to guard against such an attack would be for websites to use an encrypted connection such as HTTPS.
Otherwise, the best solution is for users to ensure they close their browser every time they leave their Mac unattended, or else close it down completely.