As reported by The Register and first spotted by security engineer Aidan Marlin, these cookies.sqlite databases are used to store cookies between browsing sessions and are normally found in a user's Firefox profiles folder. However, by searching GitHub using specific query parameters known as a search “dork”, they can be found online.
Marlin reached out to the news outlet after he first tried reporting his finding findings to GitHub through HackerOne. However, a GitHub representative informed Marlin that “credentials exposed by our users are not in scope for our Bug Bounty program”. He then asked GitHub if he could make his findings public and provided further details on the matter to The Register in an email, saying:
“I'm frustrated that GitHub isn't taking its users' security and privacy seriously. The least it could do is prevent results coming up for this GitHub dork. If the individuals who uploaded these cookie databases were made aware of what they'd done, they'd s*** their pants.”
Accidentally exposed cookie databases
The affected users accidentally uploaded their own cookies.sqlite database when committing code and pushing it to their public repositories on GitHub. However, since this dork turns up almost 4.5k results, Marlin believes GitHub should be doing more and he has also alerted the UK Information Commissioner's Office that users' personal information is in jeopardy.
According to Marlin, he believes that users accidentally uploaded their cookies.sqlite databases by committing code from their own Linux home directory. Most likely the individuals involved probably don't even realize that they put their cookie databases up online for anyone else to find.
The security of the affected users is also at risk as an attacker could download their cookie databases and put them in a folder belonging to a newly created Firefox profile on their local machine. This would allow them to be authenticated on any services which the users were logged in on when they committed their databases according to Marlin.
In an email to The Register, a Mozilla spokesperson confirmed Marlin's theory and explained that developers should use Firefox Sync when using code hosting services like GitHub, saying:
“Protecting the privacy of internet users is at the core of Mozilla’s work. When using code hosting services, we encourage users to use caution when considering the sharing of private data directly on public websites. When choosing to backup sensitive Firefox profile data, Mozilla recommends Firefox Sync, which encrypts and safely stores files within Firefox servers.”
Via The Register