Login cookies of thousands of Firefox users are available on request from GitHub repositories, according to security engineer Aidan Marlin.
The London-based rail service Trainline employee contacted GitHub about the leak, but the company responded that user-leaked credentials were beyond the scope of its bounty program.
Marlin released his findings to HackerOne and the UK-based technology news outlet The Register after authorization by GitHub.
He says that attackers could use the leaked databases to compromise any internet-facing application associated with the users.
Multiple services and browsers affected by login cookies exposure on GitHub
Although the problem wasn’t new, Marlin explained that it previously only affected a single service like AWS. He now suggests that other browsers could be also affected.
According to the researcher, leaking browser login cookies could allow attackers to access any website the GitHub user had authenticated on before committing the code. An attacker only needed to create a Firefox profile and save the cookies.sqlite file on the Firefox profiles folder to exploit the vulnerability. While Firefox users could protect their login information with a browser password, the browser’s password does not protect the cookies.sqlite file.
Similar login cookies vulnerabilities had been observed in Mozilla Firefox for macOS and Android (CVE-2020–15647). Mozilla also confirmed the risk but did not promise any design changes. Instead, the company warned Firefox users about “sharing of private data directly on public websites,” advising them to use Firefox Sync that encrypts data when backing up user profile information.
GitHub fails to protect leaked users’ login cookies
Marlin lamented GitHub’s refusal to take its users’ security and privacy seriously. He suggested that GitHub should prevent exposed login cookies from appearing in search results on GitHub dorks.
Consequently, he notified the UK Information Commissioner’s Office noting that there were “nearly 4.5k hits for this dork, so I think GitHub has a duty of care.”
However, Marlin also laid the blame equally on GitHub users who committed login cookies alongside their code to public repositories. He said that the developers would “s*** their pants” if they discovered the mistake they made.
Most users inadvertently upload sensitive data because Linux environments hide directories starting with a dot character. Consequently, uploading the source code folder also uploads the project’s security keys.
However, the researcher explained that the login cookie exposure occurred because of committing code from the Linux home directory.
He suggested that most users committed their code with login cookies to ensure a common environment across multiple devices.
“Marlin acknowledges that affected GitHub users deserve some blame for failing to prevent their cookies.sqlite databases from being included when they committed code and pushed it to their public repositories,” The Register wrote.
GitHub has been scanning code for package registry credentials since 2015. The company also promised in June 2021 to expand the service to more areas.
Commonly exposed credentials include SSH login keys and security tokens for the source code repository, such as GitHub desktop authentication keys.
The distributed version control platform acknowledges that leaked secrets could not only compromise the affected product, but also thousands of others.
GitHub currently scans PyPI, RubyGems, npm, NuGet, and Clojars projects to protect secrets that could compromise products that depend on these package managers. Consequently, checking browsers’ login cookies database files like cookies.sqlite should be the next logical step.
Exposed browser cookies could include GitHub and other software development platforms’ login information. Attackers could use exposed login credentials to compromise developers’ accounts and inject malicious code into software source code repositories for supply chain attacks.
Fortunately, login cookies expire quickly, and cookie thieves might encounter the “you signed out in another tab or window, reload to refresh your session” message.
