Thousands of Firefox (opens in new tab) cookie databases which contain sensitive data that could potentially be used to hijack authenticated sessions are currently available on request from GitHub (opens in new tab) repositories.
As reported (opens in new tab) by The Register and first spotted by security engineer Aidan Marlin, these cookies.sqlite databases are used to store cookies between browsing sessions and are normally found in a user's Firefox profiles folder. However, by searching GitHub using specific query parameters known as a search “dork”, they can be found online.
Marlin reached out to the news outlet after he first tried reporting his finding findings to GitHub through HackerOne (opens in new tab). However, a GitHub representative informed Marlin that “credentials exposed by our users are not in scope for our Bug Bounty program”. He then asked GitHub if he could make his findings public and provided further details on the matter to The Register in an email, saying:
"I'm frustrated that GitHub isn't taking its users' security and privacy seriously. The least it could do is prevent results coming up for this GitHub dork. If the individuals who uploaded these cookie databases were made aware of what they'd done, they'd s*** their pants."
Accidentally exposed cookie databases
The affected users accidentally uploaded their own cookies.sqlite database when committing code and pushing it to their public repositories on GitHub. However, since this dork turns up almost 4.5k results, Marlin believes GitHub should be doing more and he has also alerted the UK Information Commissioner's Office (opens in new tab) that users' personal information is in jeopardy.
According to Marlin, he believes that users accidentally uploaded their cookies.sqlite databases by committing code from their own Linux (opens in new tab) home directory. Most likely the individuals involved probably don't even realize that they put their cookie databases up online for anyone else to find.
The security of the affected users is also at risk as an attacker could download their cookie databases and put them in a folder belonging to a newly created Firefox profile on their local machine. This would allow them to be authenticated on any services which the users were logged in on when they committed their databases according to Marlin.
In an email to The Register, a Mozilla spokesperson confirmed Marlin's theory and explained that developers should use Firefox Sync (opens in new tab) when using code hosting services like GitHub, saying:
"Protecting the privacy of internet users is at the core of Mozilla’s work. When using code hosting services, we encourage users to use caution when considering the sharing of private data directly on public websites. When choosing to backup sensitive Firefox profile data, Mozilla recommends Firefox Sync, which encrypts and safely stores files within Firefox servers."
We've also featured the best browsers (opens in new tab), best identity theft protection (opens in new tab) and best password manager (opens in new tab)
Via The Register (opens in new tab)