Thousands of Firefox cookie databases containing sensitive data are available on request from GitHub repositories, data potentially usable for hijacking authenticated sessions.
These cookies.sqlite databases normally reside in the Firefox profiles folder. They're used to store cookies between browsing sessions. And they're findable by searching GitHub with specific query parameters, what's known as a search "dork."
Aidan Marlin, a security engineer at London-based rail travel service Trainline, alerted The Register to the public availability of these files after reporting his findings through HackerOne and being told by a GitHub representative that "credentials exposed by our users are not in scope for our Bug Bounty program."
Marlin then asked whether he could make his findings public and was told he's free to do so.
"I'm frustrated that GitHub isn't taking its users' security and privacy seriously," Marlin told The Register in an email. "The least it could do is prevent results coming up for this GitHub dork. If the individuals who uploaded these cookie databases were made aware of what they'd done, they'd s*** their pants."
Marlin acknowledges that affected GitHub users deserve some blame for failing to prevent their cookies.sqlite databases from being included when they committed code and pushed it to their public repositories. "But there are nearly 4.5k hits for this dork, so I think GitHub has a duty of care as well," he said, adding that he's alerted the UK Information Commissioner's Office because personal information is at stake.
Marlin speculates that the oversight is a consequence of committing code from one's Linux home directory. "I imagine in most of the cases, the individuals aren't aware that they've uploaded their cookie databases," he explained. "A common reason users do this is for a common environment across multiple machines."
GitHub dorks are not new, but they often only affect a single service, like AWS, Marlin said. This particular gaffe is troubling because it could allow an attacker to access any internet-facing website to which the GitHub user was authenticated at the time the cookie files were committed. He added that dorks for other browsers can probably also be found.
Exploitation, Marlin said, would be very easy. It's just a matter of creating a new Firefox profile on your local machine and then downloading the cookies.sqlite file and placing it within the Firefox profile folder. "You'll be authenticated on any services which the user was logged in on when they committed the database," explained Marlin.
There's a theoretical complication. Firefox offers an option to protect logins and passwords. But as far as we can tell, that doesn't apply to the cookies.sqlite file. The Register was able to examine multiple Firefox cookie databases with Marlin's guidance.
When the visibility of cookies came up five years ago as a Firefox macOS bug submission, it was closed.
And even if the cookies.sqlite file were protected by a database-specific password, it probably wouldn't offer much protection: Various open source projects offer the ability to crack .sqlite files, and there are commercial offerings of this sort too.
To underscore the seriousness of exposing these databases, consider this recently described Android PoC exploit of CVE-202015647, used to exfiltrate the Firefox cookies database.
Mozilla confirmed Marlin's claims about the risk of exposing these files in an email to The Register on Thursday.
"Protecting the privacy of internet users is at the core of Mozillas work," a Mozilla spokesperson said. "When using code hosting services, we encourage users to use caution when considering the sharing of private data directly on public websites. When choosing to backup sensitive Firefox profile data, Mozilla recommends Firefox Sync, which encrypts and safely stores files within Firefox servers."
One mitigating factor at least is that sessions and associated cookies tend to expire relatively quickly.
There's precedent for GitHub to take action to help those who have been unwittingly publishing their cookie databases. The social code biz has been scanning for exposed credentials in repos since 2015 and now scans for more than 70 different types of secrets. Here's one more to add to the list.
GitHub did not respond to a request for comment.
See the original post:
Thousands of Firefox users accidentally commit login cookies on GitHub - The Register
- Rebranded Ransomware Group Sabbath Hitting Hospitals and Schools - JD Supra - December 3rd, 2021
- This 10TB cloud storage is cheaper than buying a Starbucks but it ends today - TechRadar - December 3rd, 2021
- Crypto Promoter Charged With Scamming Investors Out of Millions | Chief Investment Officer - Chief Investment Officer - December 3rd, 2021
- Coevolve announces important new hires and expansion in the European market - EnterpriseTalk - December 3rd, 2021
- Top trends in tech transformation - Lexology - December 3rd, 2021
- Verint Announces Strong Third Quarter Results, Raises Guidance and Three-Year Targets - marketscreener.com - December 3rd, 2021
- Network monitoring makes the cloud Connection | Daily News - IBC365 - December 2nd, 2021
- Let's Talk About IT Ep. 23 The Transformation of the DOD in the Cloud - FedScoop - December 2nd, 2021
- Key features of the newly launched Virto Commerce Cloud - AppleMagazine - December 2nd, 2021
- Cloudbazaar 2021 Brings Together Internet Leaders To Discuss The Future Of E-commerce - Yahoo Finance - December 2nd, 2021
- gotomyerp Co-founder And CEO, Robert Eppele, Has Been Named One of the 10 Best Inspiring Leaders of the Year 2021 by CIO Bulletin - PR Web - December 2nd, 2021
- Brighton and Hove News Brighton tech business wins national award - Brighton and Hove News - December 2nd, 2021
- Qatar among the biggest adopters of cloud in region - The Peninsula - December 2nd, 2021
- Lost SEO traffic in 2021? Here are 3 potential reasons why (and how to recover your rankings heading into 2022) - Search Engine Land - December 2nd, 2021
- $3.98 for 10TB online is what the best Cyber Monday cloud storage costs and it's exclusive to TechRadar - TechRadar - December 2nd, 2021
- Explore cloud-native vs. cloud-based vs. cloud-enabled apps - TechTarget - November 28th, 2021
- Clevelands vision for Blockland has stalled. Could Northeast Ohio still be a hub for blockchain? - cleveland.com - November 28th, 2021
- gotomyerp Has Been Listed As One Of The Top 50 Best Companies Of 2021 By The CEO Views - Longview News-Journal - November 28th, 2021
- Lumberjacks honor McPhail with jersey retirement - and 15th-straight win - St. Cloud Times - November 28th, 2021
- Accenture to Drive Organon's ERP Transformation with SAP on AWS - Inside SAP Magazine - November 28th, 2021
- FlashDrive Automates The Process Of Hosting Apps for Businesses in A Revolutionary Way - Yahoo Finance - November 24th, 2021
- The cloud complexity storm & changing organizational dynamics of IT Highlights from VotE: Cloud, Hosting & Managed Services - S&P Global - November 24th, 2021
- Adobe : How to send documents and information with enhanced security - marketscreener.com - November 24th, 2021
- Axtria to Lead Several Events on the Future of Digital Transformation, Product Design, and Product Leadership Opportunities for Women at NASSCOM... - November 24th, 2021
- HEALTHCARE TRIANGLE, INC. Management's discussion and analysis of financial condition and results of operations. (form 10-Q) - marketscreener.com - November 24th, 2021
- Great Tips For Web Optimization That Can Also Help In Mobile Application Development - WhaTech - WhaTech - November 24th, 2021
- Udacity to host international STEM Forward with Women conference featuring industry leaders from Microsoft, Saudi Telecom, HSBC, Sky, KPMG & more... - November 24th, 2021
- How to Preserve and Share Grandma's Recipes - WIRED - November 24th, 2021
- Google Cloud partially fixes load balancer SNAFU that hit Discord, Spotify, others today - The Register - November 20th, 2021
- TI will splash out up to $30B on wafer fabs - The Register - November 20th, 2021
- Intel audio drivers give Windows 11 the blues and Microsoft Installer borked following security update - The Register - November 20th, 2021
- Ubuntu desktop team teases 'proof of concept' systemd on Windows Subsystem for Linux - The Register - November 20th, 2021
- Netlify acquires OneGraph: One API to rule them all? - The Register - November 20th, 2021
- Boffins find way to use a standard smartphone to find hidden spy cams - The Register - November 20th, 2021
- America, when you're done hitting us with the ban hammer, see these on-prem Zoom vulns, says Positive - The Register - November 20th, 2021
- VMware pulls vSphere update that only made things worse - The Register - November 20th, 2021
- Everything but the catch: '90s pop act or a successful mission for Rocket Lab? - The Register - November 20th, 2021
- Ready, player anyone? China's gaming ban left cloud providers looking for someone to play with - The Register - November 20th, 2021
- Riverbed Technologies files for Chapter 11 bankruptcy protection following pandemic 'headwinds' - The Register - November 20th, 2021
- AWS adds Linux app streaming alongside Windows to 'greatly lower' cost - The Register - November 20th, 2021
- Korea gives Google and Apple another kick for requiring their own payment systems - The Register - November 20th, 2021
- Citrix initiates 'Restructuring Program' jobs and facilities to go - The Register - November 20th, 2021
- MediaTek's flagship 5G chip for top-of-the-line Android smartphones is coming right up - The Register - November 20th, 2021
- Is mass cloud adoption going to last forever, or is it just a phase? - ITProPortal - November 20th, 2021
- 'We are not people to Mark Zuckerberg, we are the product' rages Ohio's Attorney General in Facebook lawsuit - The Register - November 20th, 2021
- The Rust Foundation gets ready to Rumbul (we're sure new CEO has never, ever heard that joke before) - The Register - November 20th, 2021
- Sage Sessions X3 kicks off in Orlando with focus on empowering customers and partners to thrive - Yahoo Finance - November 15th, 2021
- Telenor taps Google Clouds AI and analytics expertise to target a bigger slice of the digital transformation market - TelecomTV - November 15th, 2021
- New Apprenticeship Hosting Webinar As Part of National Apprenticeship Week To Help Address Tech Talent Gap - Yahoo Finance - November 15th, 2021
- Cybersecurity and OWASP in an Increasingly Digital World - tripwire.com - November 15th, 2021
- Successful CEO Guru Releases New Spin on Business Leadership and Audios of His Entrepreneur How-To Guide and Savvy Disruptive Tech Prediction Books -... - November 15th, 2021
- Domopalooza Returns to Salt Lake City Focusing on Future of Business and Data - Business Wire - November 15th, 2021
- During this pre-Black Friday sale, get an additional 15% off domain names and lifetime web hosting deals - ZDNet - November 8th, 2021
- Valeo Networks Acquires On Time Tech, Further Accelerating National Growth Strategy - PRNewswire - November 8th, 2021
- Huobi is migrating its spot trading business from Seychelles to Gibraltar - The Block Crypto - November 8th, 2021
- Outlook on the Cloud Hosting Service Market to 2026 by Application, End-user and Geography - Northwest Diamond Notes - November 8th, 2021
- Overview of the Different Types of Web Hosting - E/The Environmental Magazine - November 8th, 2021
- Microsoft bags major win over Amazon in cloud battle - TechRadar - November 8th, 2021
- 6 web hosting and domain deals on sale - Mashable - November 8th, 2021
- Managed Hybrid Cloud Hosting Market to Witness Rapid Growth by 2028 | Amazon Web Services (AWS), Microsoft, Tata Communications The Host - The Host - November 8th, 2021
- QuestDB snares $12M Series A with hosted version coming soon - TechCrunch - November 8th, 2021
- Using Open-Source Intelligence for Mergers and Acquisitions - Security Intelligence - November 8th, 2021
- Huawei might have to sell its server division following US sanctions - TechRadar - November 8th, 2021
- Bitdeer Group Showcases Diversity With New Filecoin Mining Option Press release Bitcoin News - Bitcoin News - November 8th, 2021
- Forget Windows 11 hardware requirements, Windows 365 is here to save the day - TechRadar - November 8th, 2021
- Teledata and Sudlows win New Design/Build Data Centre Project of the Year at Prestigious DCS Awards - Business Manchester - November 8th, 2021
- Linda Visnick: Observing the Business World with an Innovative Eye - Analytics Insight - November 8th, 2021
- Southeast Asia Web Hosting Services Market 2021 Size Strong Revenue and Competitive Outlook : Amazon Web Services, AT & T, Google, GoDaddy,... - November 8th, 2021
- Cloud computing in the public sector: a distant dream or the near future? - ComputerWeekly.com - November 1st, 2021
- NSA, CISA Weigh in on Shared Responsibility for Cloud Security in the 5G Era - Nextgov - November 1st, 2021
- "wasmCloud allows us to rethink the cloud as just a stop on the way" - JAXenter - November 1st, 2021
- Why should organizations look towards the power of hybrid cloud? - ITProPortal - November 1st, 2021
- How To Choose The Best Website Hosting Platform 2021? Film Daily - Film Daily - November 1st, 2021
- Firstsource Selects NICE WFM Cloud to Unlock the Power of Digital Transformation - Business Wire - November 1st, 2021
- Bare Metal Cloud Service Market Overview and Forecast Report 2021-2026 | Amazon Web Services, Bigstep, Dell Technologies, IBM, CenturyLink, Oracle,... - November 1st, 2021
- The Rise of BGP Hijacking and Why You Need a Response Plan Immediately - Entrepreneur - November 1st, 2021
- Debunking SASE myths: How it has helped productivity - TechRadar - November 1st, 2021
- COVIDSafe total cost was AU$9.2 million to October 4 with AU$2.8 million on hosting - ZDNet - November 1st, 2021
- IT Infrastructure Services Market Is Booming Worldwide | HCL, IBM, Verizon Communications Inc., Accenture, HPE and more The Host - The Host - November 1st, 2021
- Russian cyber spies target CSPs and resellers to abuse delegated access - Reseller News - November 1st, 2021