Currently, thousands of Firefox cookie databases containing sensitive data that could be used to hijack authenticated sessions are available on request in the GitHub repositories.
As reported by The Register and first spotted by security engineer Aidan Marlin, these cookies.sqlite databases are used to store cookies between browsing sessions and are typically found in a user's 'Firefox profiles' folder. '. However, by searching GitHub using specific query parameters known as "idiot" search, they can be found online.
Marlin reached out to the media after first trying to report his findings to GitHub via HackerOne. However, a GitHub representative informed Marlin that "credentials exposed by our users are not covered by our Bug Bounty program." He then asked GitHub if he could make his findings public and provided more details about it to The Register in an email, saying:
"It frustrates me that GitHub doesn't take the security and privacy of its users seriously. The least you can do is avoid the results of this GitHub idiot. If the people who downloaded these databases have cookies they would be informed of what they they would, fuck the pants."
Accidentally exposed cookie databases
Affected users accidentally uploaded their own cookies.sqlite database while validating the code and submitting it to their public repositories on GitHub. However, with this jerk posting nearly 4.5,000 views, Marlin believes that GitHub should be doing more and has also alerted the UK Information Commissioner's office that users' personal information is at risk.
According to Marlin, he believes that users accidentally downloaded their cookies.sqlite databases while writing code from their own Linux home directory. Most likely, the people involved do not even realize that they are putting their cookie databases online so that someone else can find them.
The security of affected users is also at risk because an attacker could download your cookie databases and place them in a folder belonging to a newly created Firefox profile on your local machine. This would allow them to authenticate to whatever service users were logged into when they validated their databases, according to Marlin.
In an email sent to The Register, a Mozilla spokesperson confirmed Marlin's theory and explained that developers should use Firefox Sync when using code hosting services like GitHub, saying:
“Protecting the privacy of Internet users is at the core of Mozilla's work. When using code hosting services, we advise users to exercise caution when considering sharing private data directly on public websites. When choosing to back up sensitive Firefox profile data, Mozilla recommends Firefox Sync, which encrypts and securely stores files on Firefox servers."
We also present the best browsers, the best identity theft protection, and the best password manager.
Through the registry