Thousands of Firefox users see data compromised in unusual circumstances
Firefox users accidentally uploaded their cookie databases to GitHub when committing code
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Thousands ofFirefoxcookie databases which contain sensitive data that could potentially be used to hijack authenticated sessions are currently available on request fromGitHubrepositories.
AsreportedbyThe Registerand first spotted by security engineer Aidan Marlin, these cookies.sqlite databases are used to store cookies between browsing sessions and are normally found in a user’s Firefox profiles folder. However, by searching GitHub using specific query parameters known as a search “dork”, they can be found online.
Marlin reached out to the news outlet after he first tried reporting his finding findings to GitHub throughHackerOne. However, a GitHub representative informed Marlin that “credentials exposed by our users are not in scope for our Bug Bounty program”. He then asked GitHub if he could make his findings public and provided further details on the matter toThe Registerin an email, saying:
“I’m frustrated that GitHub isn’t taking its users' security and privacy seriously. The least it could do is prevent results coming up for this GitHub dork. If the individuals who uploaded these cookie databases were made aware of what they’d done, they’d s*** their pants.”
Accidentally exposed cookie databases
The affected users accidentally uploaded their own cookies.sqlite database when committing code and pushing it to their public repositories on GitHub. However, since this dork turns up almost 4.5k results, Marlin believes GitHub should be doing more and he has also alerted theUK Information Commissioner’s Officethat users' personal information is in jeopardy.
According to Marlin, he believes that users accidentally uploaded their cookies.sqlite databases by committing code from their ownLinuxhome directory. Most likely the individuals involved probably don’t even realize that they put their cookie databases up online for anyone else to find.
The security of the affected users is also at risk as an attacker could download their cookie databases and put them in a folder belonging to a newly created Firefox profile on their local machine. This would allow them to be authenticated on any services which the users were logged in on when they committed their databases according to Marlin.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
In an email toThe Register, a Mozilla spokesperson confirmed Marlin’s theory and explained that developers should useFirefox Syncwhen using code hosting services like GitHub, saying:
“Protecting the privacy of internet users is at the core of Mozilla’s work. When using code hosting services, we encourage users to use caution when considering the sharing of private data directly on public websites. When choosing to backup sensitive Firefox profile data, Mozilla recommends Firefox Sync, which encrypts and safely stores files within Firefox servers.”
We’ve also featured thebest browsers,best identity theft protectionandbest password manager
ViaThe Register
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.
7 myths about email security everyone should stop believing
Best Usenet client of 2024
Smeg Combi Steam Oven review: a multi-functional countertop oven that looks stunning and cooks well
