Github cookie leak – thousands of Firefox cookie files downloaded by mistake – Naked Security


Remember when people mistakenly uploaded their SSH keys to Github and similar codeshare sites?

Two years ago, we wrote that reckless software developers had downloaded hundreds of thousands of private access control keys, quite unintentionally, along with source code files they had left behind. ‘intention to make public.

Usually, this kind of error occurs because Linux and Unix computers do not display directories or file names beginning with a period (period, period, ASCII 46, hexadecimal 0x2E) by default.

It’s easy to forget that these “hidden” files and directories exist, since you rarely notice they are there.

One of the most important “hidden” directories for Unix users is .ssh, which is usually invisible.

So a simple directory listing might look like this:

$ ls -lR
.:
total 4
drwxr-xr-x 2 lua  lua  4096 2021-11-18 20:52 lua-utils/

./lua-utils:
total 32
-rw-r--r-- 1 lua  lua   5107 2021-11-18 20:45 args.lua
-rw-r--r-- 1 lua  lua  12384 2021-11-18 20:45 base.lua
-rw-r--r-- 1 lua  lua   4628 2021-11-18 20:45 socks5.lua

Blindly wrapping all of these files into an archive for uploading to your favorite public repository seems harmless enough, given that all of the files in the lua account are meant to be public.

But if you insist that the file list utility show you all files (add the option -a for all to the ls command), including hidden files starting with a period, you could have a directory tree that looks like this instead:

$ ls -alR
.:
total 28
drwxr-xr-x  4 lua  lua   4096 2021-11-18 20:46 ./
drwxr-xr-x 27 lua  lua  16384 2021-11-18 20:42 ../
drwxr-xr-x  2 lua  lua   4096 2021-11-18 20:44 .ssh/
drwxr-xr-x  2 lua  lua   4096 2021-11-18 20:52 lua-utils/

./.ssh:
total 16
drwxr-xr-x 2 lua  lua  4096 2021-11-18 20:44 ./
drwxr-xr-x 4 lua  lua  4096 2021-11-18 20:46 ../
-r-------- 1 lua  lua    74 2021-11-18 20:45 id_rsa
-rw------- 1 lua  lua  1993 2021-11-18 20:45 known_hosts

./lua-utils:
total 40
drwxr-xr-x 2 lua  lua   4096 2021-11-18 20:52 ./
drwxr-xr-x 4 lua  lua   4096 2021-11-18 20:46 ../
-rw-r--r-- 1 lua  lua   5107 2021-11-18 20:45 args.lua
-rw-r--r-- 1 lua  lua  12384 2021-11-18 20:45 base.lua
-rw-r--r-- 1 lua  lua   4628 2021-11-18 20:45 socks5.lua

As you can see, the complete directory tree includes a .ssh directory containing a file called id_rsa, which is a private key file typically containing the connection information for one or more online servers that you connect to on a regular basis:

$ cat .ssh/id_rsa 
-----BEGIN RSA PRIVATE KEY-----

[. . . .]

-----END RSA PRIVATE KEY-----

Did I include 6 files, or only 5?

Of course, if your packaging tool archives and downloads all files, not just “unmasked” files, you would have inadvertently included your own private SSH connection keys with your public source code.

Ironically, the id_rsa The file may even contain your access key for the same source code repository where the key file is now publicly and searchable.

Faced with this dilemma, many download sites now go out of their way to find, notify, and delete files of this type, which simply should not be made public.

But a typical Unix or Linux computer will have hundreds or thousands of files hidden in the directory tree of any busy user, and although only a few of them are as critical as your SSH keys, it There are many, if not thousands, of hidden files that reveal vital secret information about you, your accounts or your online activities.

Downloading any of these files by mistake could harm your eHealth.

Searches, orders, documents and navigation data

Dozens of popular utilities, for example, keep hidden “history” files that record the latest N searches, or the latest M documents, or the latest P commands you ran, just in case you want to quickly revert to a. order or a recent document later.

Often times, these history files date back days, weeks, or even longer – and your command shell history in particular is likely to contain unwanted copies of your password, accidentally “withheld” when you log in. are out of sync with the password prompt and have entered your password. at the command prompt by mistake.

Well, reporters at UK IT news site El Reg, officially The Register, today wrote a warning that they received from a reader who had just noticed that thousands of copies of the Firefox browser cookie files, called cookies.sqlite, can be found on GitHub.

Many Firefox users will never see this file, especially on Linux computers, because it is hidden by default in a directory called .mozilla/firefox, where it’s unlikely to appear during routine browsing through your local files, thanks to the dot at the start of the application-specific directory name .mozilla.

We repeated the experiment and immediately found over 4,400 instances of files with that name, the most recent being only a few hours old.

We didn’t dig too deep into the files that showed up, even though they’re now in the public domain, as we suspect that none of the users who downloaded them had any intention of doing so.

But we were able to open and briefly scroll through the samples we looked at (.sqlite the files are stand-alone databases for SQLite toolkit, widely used by a range of apps – it’s very popular on iOS and Android for its compact code size), and they had clear evidence of recent surfing behavior and site connections.

Sure, cookies.sqlite is just a sensitive file from a popular app, but it’s a bad choice for a private file to download because it usually contains personalized information about your private browsing habits.

Most importantly, your cookie database may include authentication tokens that allows you to return to your favorite websites without logging in again the next time you visit.

If you have a habit of telling websites to “remember me for X days” so that you don’t have to enter your username, password, and 2FA code every morning, you can is likely that the secret string of scrambled text characters that lets you come back next time is stored as a web cookie. Therefore, the scammer who finds your cookie file may copy your personal “login bypass” code and impersonate you in your account.

What to do?

  • When downloading files for public use, be absolutely sure of the files that you have included in your set. Windows removes file extensions by default, making it difficult to know what types of files you have selected. As noted above, Linux and Unix remove “hidden” files starting with a period.
  • If possible, have someone else review your download before clicking [OK]. If you’re uploading your own code, for example, you’re probably feeling relieved and euphoric that your next version is out, or happy that the bugs you’ve been working on are finally fixed. Editing your own uploads is like proofreading your own articles: you know what they’re supposed to look like, so mistakes that are obvious to others will often escape your notice altogether.
  • Get into the habit of regularly erasing cookies from your browser. The longer you leave it, the more your cookie file will contain personalized data about your browsing. Ideally, configure your browser to automatically clear cookies and web data on exit. This way you don’t have to remember to keep doing it by hand. It’s a small inconvenience for a lot of peace of mind.
  • Log out of sites as soon as you are finished using them. Yes, this is inconvenient as you have to log back in and enter your 2FA code frequently. But when you formally tell a site like GitHub, YouTube, or Facebook that you’ve logged out, your current browser authentication tokens are automatically invalidated and therefore become useless to anyone who finds them later.
  • Download your own downloads as soon as they are public. If you regularly upload files to public repositories where others can retrieve them, make a habit of uploading your own uploads (use a different browser, a different username, or even a different computer if you can), as if you were a curious member of the Public. Review the contents of what you just downloaded, using a tool you know shows you everything in the download, regardless of its extension or file name. If you don’t search for malicious files, crooks are likely to do it for you.

Be aware before sharing!



Comments are closed.