据外媒 the Register 报导:伦敦铁路服务公司的安全工程师艾丹·马林(Aidan Marlin) 发现 GitHub 存储库正在提供数千个包含敏感数据的 Firefox cookie 数据库,这些数据可能被用于劫持已经过身份验证的会话。
According to foreign media the Register: Aidan Marlin (Aidan Marlin), a security engineer at the London Railway Services Company, discovered that the GitHub repository is providing thousands of Firefox cookie databases containing sensitive data, which may be used to hijack identities. Verified session.
These cookie.sqlite databases are usually located in the Firefox profile folder and are used to store cookies between browsing sessions. They can be found by searching on GitHub using specific query parameters, which is the so-called "Github search dork" (dork can be used to search for sensitive personal and/or organizational information in the open source Github repository, such as private keys, credentials, and identities. Verification token, etc.). Most of the currently affected GitHub users work in a public environment across multiple computers. When they submit code from the Linux home directory and push it to the public repository, the Sqlite database will be included.
In most cases, users do not know that they have actively uploaded the cookie database, so this cookie disclosure problem is actually the user's main responsibility. But currently this Github dork has nearly 4,500 clicks, so Marin believes that GitHub is also obliged to pay attention to and fix this problem. However, a GitHub representative told Marin that “the certificate disclosed by the user is not within the scope of the Bug Bounty program”, which means that Github has no plans to release a patch to fix this issue in the near future. Marin felt that GitHub did not take user safety and privacy seriously, which made him feel frustrated: "It can at least prevent this GitHub dork from getting search results."
The bad news is that GitHub dorks is nothing new, it's an old problem; the good news is that session-related cookies expire soon. Perhaps for this reason, Github did not take this cookie issue to heart.
这些 cookie.sqlite 数据库通常位于 Firefox 配置文件文件夹中,用于在浏览会话之间存储 cookie。它们可以通过使用特定的查询参数在 GitHub 上搜索找到,也就是所谓的 “Github search dork”(dork 可用于在开源的 Github 仓库中搜索敏感的个人和/或组织信息,如私钥,凭据,身份验证令牌等)。目前受影响的 GitHub 用户大多工作在跨多台计算机的公共环境,当他们从 Linux 主目录提交代码,并将其推送到公共存储库时,Sqlite 数据库就会被包含在内。
大多数情况下,用户并不知道他们已经主动上传了 cookie 数据库,所以这个 cookie 泄露问题其实用户占主要责任。但目前这个 Github dork 已有近4500次点击,所以马林认为 GitHub 也有义务注意并修复此问题。然而,GitHub 的一名代表告知马林“用户泄露的证书不在 Bug Bounty 计划的范围内”,这意味着 Github 近期未打算发布补丁修复此问题。 马林认为 GitHub 没有认真对待用户的安全和隐私,这让他感到很沮丧:“它至少可以阻止这个 GitHub dork 得到搜索结果。”
坏消息是,GitHub dorks 不是什么新鲜事,是个老问题;好消息是,会话相关的 cookie 很快过期。或许正是出于此原因,Github 并未将此 Cookie 问题放在心上。
