Thousands of Firefox Users Accidentally Commit Login Cookies On GitHub

Thousands of Firefox cookie databases containing sensitive data are available on request from GitHub repositories, data potentially usable for hijacking authenticated sessions. The Register reports: These cookies.sqlite databases normally reside in the Firefox profiles folder. They're used to store cookies between browsing sessions. And they're findable by searching GitHub with specific query parameters, what's known as a search "dork." Aidan Marlin, a security engineer at London-based rail travel service Trainline, alerted The Register to the public availability of these files after reporting his findings through HackerOne and being told by a GitHub representative that "credentials exposed by our users are not in scope for our Bug Bounty program."

Marlin then asked whether he could make his findings public and was told he's free to do so. "I'm frustrated that GitHub isn't taking its users' security and privacy seriously," Marlin told The Register in an email. "The least it could do is prevent results coming up for this GitHub dork. If the individuals who uploaded these cookie databases were made aware of what they'd done, they'd s*** their pants."

Marlin acknowledges that affected GitHub users deserve some blame for failing to prevent their cookies.sqlite databases from being included when they committed code and pushed it to their public repositories. "But there are nearly 4.5k hits for this dork, so I think GitHub has a duty of care as well," he said, adding that he's alerted the UK Information Commissioner's Office because personal information is at stake. Marlin speculates that the oversight is a consequence of committing code from one's Linux home directory. "I imagine in most of the cases, the individuals aren't aware that they've uploaded their cookie databases," he explained. "A common reason users do this is for a common environment across multiple machines."

Must be patched already

[Anonymous Coward]

Went to github and searched for cookies.sqlite and no direct files showed up.

Re: Must be patched already

[Anonymouse Cowtard]

You need to search like a dork.

Re:

[BoogieChile]

Working fine for me. But then, I'm one of those weirdos that read the instructions.

Re:

[Aighearach]

That's because you don't have a soul, and so it can't go and search on your behalf.

When an actual human directly searches, they get lots of relevant results.

Well, assuming they're a developer who has a reason to be searching on github. If not, they might not have any idea what the results even are! But this is slashdot. A place for nerds.

Re: Since when do searches return usefull results?

[SchizoDuckie]

Github is an excellent tool for finding passwords though! Requires some getting used to maybe but it's pretty workable. What irks me is that it doesnt always show all result categories for some searches (INI is skipped often)

Re: Must be patched already

[sectokia]

The author is assuming many things. We have the database so we can launch tests with set cookie conditions. I expect a lot of people do. It doesnâ(TM)t make any sense that people would go out of their way to somehow include their browsers database cookie history in a git repository.

Ummhow?

[mattventura]

I even read TFA and it doesn’t explain how one manages to accidentally commit a file that one wouldn’t normally find in a code project.

Re: Ummhow?

[RegistrationIsDumb83]

The last line in the quote is that users are commiting their whole home folders for a common environment. Which seems dumb for many reasons, but apparently 4,500 people are doing it.

Re: Ummhow?

[Mononymous]

Then why the focus on Firefox? This story should say they're uploading everything. Most people have more private stuff in their home directory than just some login cookies.

Re:

[jarkus4]

Apparently github mitigates sharing secrets ("scans for more than 70 different types of secrets") and I guess FF cookie database didn't make this list.

Re:

[brickhouse98]

Yes. Seems like a layer 8 issue. While github and others could take care to exclude some things by default in a .gitignore, c'mon.

Re:

[jonadab]

The Firefox passwords DB is a common file with a consistent filename, so it was relatively easy to construct a query that consistently finds it, and this finds a substantial fraction of the people who have committed their entire home directory trees. And unlike common config files (e.g., .bashrc) that also could have been used, it typically contains sensitive data, so you aren't going to get a lot of false positives (e.g., people who committed their .bashrc on purpose, which is not such a wholly unreasonab

Re:

[kyoko21]

Jesus... haven't these people heard of PortableFirefox?

Don't crap where you work, don't work where you crap. You gotta keep all the things/environment separated.

Sometimes, besides just teaching people how to code, they need to be taught some common sense. *sigh*

Re: Ummhow?

[PPH]

Not just Firefox. The subject f*up occurs (as you stated) by committing their home folders which contain ~/.mozilla. Home directories also include the ~/.ssh directory tree. Private keys and all.

Re: Ummhow?

[Zero__Kelvin]

No, that does not happen because GitLab already has code to make sure your .ssh dir isn't uploaded. It doesn't check for the SQLite file. That is the whole point of the story / issue.

Re:

[tender-matser]

So, is it gitlab or github?

Re: Ummhow?

[Zero__Kelvin]

I mistakenly wrote lab. It seems it is hub. Mea culpa.

Re:

[PPH]

There are a lot of applications that store private information in their own dot configuration files. It's great that you trust a couple of gits not to copy your ~/.ssh directory. But I'm not certain they are aware of all the other stuff they should not be tracking.

Possible solution: If they see sub directories like .mozilla, .ssh, .cache, etc., just pop up a warning to the effect that the user shouldn't be doing this. Or refuse to upload altogether.

Re: Ummhow?

[Zero__Kelvin]

You can access GitHub using command line git. That approach would break that capability.

Re:

[Antique Geekmeister]

It's also an ongoing issue for unencrypted SSH private keys and for AWS keys.

Re:

[bradley13]

As other pointed out, this has nothing to do with Firefox. Many students have absolutely no concept of what a file system is. What's a directory? What's a path? Stuff is just "magically" there, usually in the cloud or something. I ask them where their course workspace is, and...no clue. One of the topics in my courses is, in fact, Git. I haven't yet seen anyone commit their home directory, but I can certainly see it happening.

Apple users seem especially clueless, but this is a general problem: Apple, Micr

Re:

[Viol8]

Whats more worrying is a lot of these morons will probably become webdevs on sites that have security systems with code they may work on.

Re:

[AmiMoJo]

It is to do with Firefox.

Firefox uses Mercurial, not git. So there is no standard .gitignore file included, you have to roll your own if you want to put the code on Github.

Firefox is complex to build, and the tools are old and obscure, so most people don't mess with the default set-up. The default is to create a development build inside the same directory as the source code, complete with profile folder. The idea is that you can run the development build concurrently with the stable version you have install

Re: Ummhow?

[reanjr]

Apple's users are excessively clueless because Apple has been hiding filesystems from their users for much longer. Windows will probably catch up soon.

But uploading your home folder in Windows probably isn't nearly as useful as uploading you Mac's home directory, so this particular issue is more likely to come up for Mac users. And I guess Linux users, but let's be realistic here; the Linux users are fewer and way less likely to do this.

Re:

[lsllll]

When non-security-minded programmers program. This is what happens when you promote the idea that "anybody" can program. Real-world programming is not just about writing code.

Re:

[coofercat]

I just took a look - yes, 4475 results for the file.

There are a few "home directories" in the list - and yes, they do seem to be committing everything, but I couldn't see anything terribly bad in there (in the 10 seconds of looking). The cookies file does contain something, but probably not as confidential as TFA makes out.

There are also *loads* of repos that look like they're including a cookies.sqlite file for the code to use - but it's not "in use", so again, probably no confidential information in them.

Re:

[AmiMoJo]

It's a feature of git.

Most other versioning systems require files to be opted in. Git by default opts in everything, and files/folders have to be specifically excluded.

In some ways that's great. It's easy to forget to add newly created files to version control. It can be particularly annoying with auto-generated files, like libraries for embedded systems. On the other hand, it's very easy to accidentally include a load of stuff you didn't mean to.

Re: Ummhow?

[reanjr]

Git is predicated on the concept of a filesystem directory. If you try to use Git without understanding how filesystems are organized, you're gonna have a bad time. Unfortunately, recent /. stories have made it clear younger "professional" are completely clueless about filesystems, even though every low-level office worker from the 90s understands it pretty well.

Re:

[jonadab]

Short version: people are idiots.

Longer version: people do all *kinds* of things they don't intend to do. They email complaints about their boss *to* their boss when they intend to only send them to a coworker. They delete documents they've spent hours creating. They lose track of their passwords. They fly their remote-control drones out over water and let the batteries run out. Of *course* they put things in git repositories that they don't mean to make public. The thing that makes Firefox's DB fil

Re: Ummhow?

[Zero__Kelvin]

You answered your own question essentially. One commits this file by committing files that normally wouldn't be committed as part of the source code for a project.

Re: Ummhow?

[sectokia]

They are included to load browser test statesmen. The person who discovered and reported this is a moron.

Obviously they're not thinking things through

[93 Escort Wagon]

I keep certain files like .bash_profile and .zshrc, in a private git repo. I even have a generic ssh config file in there, and some generic scripts. But I'm surprised that anyone who knows what a home directory is wouldn't immediately realize why it's a bad idea to shove the whole thing into git(hub).

Are these the same people who keep exposing unprotected mongo db instances to the world?

Why is it github's problem?

[bb_matt]

Sure, I get that it's clearly a relatively widespread fubar - but why should github be responsible for a user error?
Do you expect github to vet every single file pushed to a repo?

There's a certain level of responsibility that users have to take here.
If I had accidentally committed files to github, which led to some of my online accounts being compromised, or worse still, an entire server, sure, I'd be pissed and in a lot of trouble. But I sure as hell wouldn't hold github responsible for it. I'd own my mistake.

What precedence does this set, if github start trying to protect users from their own mistakes?
That on a push to a github repo, it should scan what you are pushing and error if it detects common patterns - ".ssh folder detected - push aborted"
Ok, so prevent searching for common patterns on github - but what if there's a reason for having something with a common matching pattern? - and how many patterns are we talking about here?

As an end user, these services at used at your own risk - github can't prevent you from, say, uploading private keys to a public repo - and why should it?

Re:

[Rockoon]

I think it isnt so much that githib should vet every file uploaded, but rather that it isnt much work to somehow protect people from some common oversights and issues.

Its not easy to delete critical system files in most operating systems. Should the OS's stop protecting the user?

Re:

[jarkus4]

From TFA:
"There's precedent for GitHub to take action to help those who have been unwittingly publishing their cookie databases. The social code biz has been scanning for exposed credentials in repos since 2015 and now scans for more than 70 different types of secrets. Here's one more to add to the list."

Re:Why is it github's problem?

[scamper_22]

I work in the security and like it or not, user error is an issue. Rather than focus on accountability, I always try to frame it as responsibility.

What can you do to make sure bad things don't happen.
Users can be more responsible.
Github can do various things to try and prevent problems.

There's so much Github can do. As you point out, they can examine the proposed files for commit and decide if they should warn the user about it. It's something that should always be kept up to date and maintained. Who knows how many rules it is. You assign someone to that task and let it play out.

Think of it like email. At my workplace, we scan outgoing emails to see if people are sending internal information.

We could just take the accountability approach and say if you're caught doing it, company will be mad at you! Maybe you get fired! But at the end of the day, we're more concerned with making sure internal information is not sent outside.

So there is a team that works with these rules. It will scan for attachments of files types (like say common programming language extensions .cs...). It's ALWAYS a work in progress and is never perfect, but you try. You will end up balancing false positive and false negatives. You will end up dealing with performance and load issues. You will end up having to deal with having to change people's practices.

For example, sometimes people are working with a vendor and have valid reasons for sending code externally. You bet they get annoyed when the practice they were doing for years suddenly stops working. Maybe they start sending encrypted zips. Maybe they start using secure repositories...

In short. Github can and should prevent you from uploading private keys to a public repo and it absolutely SHOULD try and prevent such cases.

It doesn't matter if it's free or not. I'm sure they have at least some people working at the company.

Re:

[bb_matt]

I get what you are saying, eloquently written.

It's a tricky one, I've been trying to find a physical analogy for this - and the only one I could really think of, that is in any way related, is:

You leave a spare house key in your mailbox. You always do this, in every house you've ever lived in.
One day, you get home to find your house has been burgled, that someone found the key in the mailbox.

Who do you blame or who do you expect should have warned you.
The Post Office?
Your local Council?
The door manufacture?

Re:

[scamper_22]

It will always be a balance. Even in the physical world, we have all kinds of safety devices. Yes, everyone should learn to use the tool properly.

Driving is a good one. We all want people to be better drivers. Driving accidents not only cost people money, but also lives. People can and should learn to drive properly.

But there's so much manufacturers and others can do to make it better.
People should turn their head to check the rear. But why not add a rear view mirror to help them. Also why not add a backup

How many

[nopenopenopenope]

I bet they all subscribe to agile as a development methodology.
I bet most of them work for silicon valley corporations too.

Secrets that GitHub checks for.

[Anonymous Coward]

Here's the list of secrets that GitHub checks for in *private* repositories. https://docs.github.com/en/cod... [github.com] Here's the list of secrets that GitHub checks for in *public* repositories. https://docs.github.com/en/cod... [github.com]

I've had this sort of problem myself.

[Qbertino]

I do web development, which means I like to do *everything* on my main application layer, because it's fun, makes development easy, gives me the control I need to move fast and speeds up time-to-market.

It also means that I have to be very careful not to commit any critical data lying around somewhere to any repo I don't completely own and control access to. The course of action is not to have critical data 'lying around' and to store everything critical in one type of file (usually .env) and have it .gitign

Re:

[The Evil Atheist]

I still don't get why you would commit everything in a directory in the first place. Do people not review changes before they even commit something?

Re: I've had this sort of problem myself.

[reanjr]

And I don't understand why you'd put secure runtime data in the same folder as code in the first place.

Everytime a developer at my place creates a new project, they have to go through the same process of re-learning that our code is mounted read-only, and we're not changing that. Stop putting your runtime data in the code directory.

Blame

[JBMcB]

I'm frustrated that GitHub isn't taking its users' security and privacy seriously

1. Github provides free public facing code repository service
2. Users do something stupid with their free service
3. Users now angry that Github's free service allows them to do something stupid

It's free. You get what you pay for.

Re: Blame

[p91paul]

It's not even that. Even if you paid for it (and some people do) this is the kind of mistake it's unreasonable to protect people from. Github does scan from some kind of secrets connected to APIs widely used by developers, giving warnings to them. It makes sense, because it makes sense for those files to be in the repository directory and forgetting to gitignore them can be an honest mistake. Committing your whole home directory to git is a bad idea already, as there are better tools for that kind of task.