Cookie missing Secure flag

VERIFIED FIXED

Status

Mozilla Developer Network
Security
--
major
VERIFIED FIXED
4 years ago
2 years ago

People

(Reporter: curtisk, Unassigned)

Tracking

({sec-low, wsec-cookie})

Details

(URL)

Description:
A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

URL:
https://ffdevtools.uservoice.com/session
HTTP/1.1 200 OK
Server: nginx/1.7.1
Date: Fri, 15 Aug 2014 17:23:28 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Status: 200 OK
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-UA-Compatible: chrome=1
P3P: CP="ALL DSP COR CURa ADMa DEVa OUR IND COM NAV"
X-Rack-Cache: invalidate, pass
ETag: "de3d213cfc64fdf1af9707584acb4ee9"
Cache-Control: max-age=0, private, must-revalidate
Set-Cookie: _uservoice_uid=791fbdb2a0959d23f65a021845cd6fbd4fb9d0f7; path=/; expires=Fri, 10 Oct 2014 17:23:28 -0000
X-Request-Id: f3c5ea4f-1235-4342-ba80-0c2052ca8828
X-Runtime: 0.054657
Severity: normal → major
Adding all MDN devs to cc list of these security bugs.
Robert - UserVoice will have to fix this.
Flags: needinfo?(robert)

Comment 4

3 years ago
I've contacted UserVoice with this information and waiting to hear back from them.
Flags: needinfo?(robert)

Comment 5

3 years ago
The reply I got from UserVoice was: "This cookie in question isn't a session cookie, so session hijacking won't be possible." Is that sufficient, or incorrect based on our security concerns?
Flags: needinfo?(curtisk)
This looks like a session cookie to me

HTTP/1.1 200 OK
Server: cloudflare-nginx
Date: Fri, 17 Oct 2014 13:51:30 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Status: 200 OK
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-UA-Compatible: chrome=1
P3P: CP="ALL DSP COR CURa ADMa DEVa OUR IND COM NAV"
X-Rack-Cache: invalidate, pass
ETag: "08a8967e751599873a1217e806f490a8"
Cache-Control: max-age=0, private, must-revalidate
Set-Cookie: _uservoice_uid=791fbdb2a0959d23f65a021845cd6fbd4fb9d0f7; path=/; expires=Fri, 12 Dec 2014 14:51:30 -0000
X-Request-Id: 21c6d7dd-b0bf-43f0-b4a1-b63425bd33fd
X-Runtime: 0.069203
CF-RAY: 17acf8a9b5500938-DFW

{"status":"OK","user":{"id":55222170,"name":"Curtis Koenig","email":"curtisk@mozilla.com","title":null,"anonymous":false,"remembered":false,"url":"https://ffdevtools.uservoice.com/users/55222170-curtis-koenig","uservoice_url":"https://ffdevtools.uservoice.com/users/55222170-curtis-koenig","sso_url":null,"karma_score":0,"avatar_url":"https://secure.gravatar.com/avatar/309fb1423f538a1443ceb8c01e33f651?size=70\u0026default=https://assets0.uvcdn.com/pkg/admin/icons/user_70-c68d06098b40646a91b7656094632c19.png","roles":{"admin":false},"created_at":"2014-08-15T17:23:28Z","updated_at":"2014-10-17T13:51:30Z","visible_forums":[{"id":246087,"name":"Firefox Developer Tools ideas","is_private":false,"idea_count":229,"url":"/forums/246087-firefox-developer-tools-ideas","max_votes":10,"forum_activity":{"votes_available":10,"supported_suggestions":[]}}]},"redirect_to":"/forums/246087-firefox-developer-tools-ideas"}

I am also able to logout of the system and then resend this request, with the cookie and the system logs me in (replay). So I think I have some valid concerns over cookie reuse and protection.
Flags: needinfo?(curtisk)
I think I may have also copied the wrong cookie so here is the sign-in request that is also missing the flag

https://ffdevtools.uservoice.com/site/signin

HTTP/1.1 302 Found
Server: cloudflare-nginx
Date: Fri, 17 Oct 2014 13:47:00 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Set-Cookie: __cfduid=d442922f77d740fb0ac426b9edc9b79d21413553620223; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.uservoice.com; HttpOnly
Status: 302 Found
X-Frame-Options: ALLOWALL
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-UA-Compatible: chrome=1
X-Doge: wow
Location: https://ffdevtools.uservoice.com/forums/246087-firefox-developer-tools-ideas
P3P: CP="ALL DSP COR CURa ADMa DEVa OUR IND COM NAV"
Cache-Control: private
X-Rack-Cache: miss
Set-Cookie: _session_id=c4c21bd9ec0eb2b6f0ed53869cbc500b; path=/; HttpOnly
X-Request-Id: 18bd84d1-1503-4226-8ba4-1b2b3d778e6e
X-Runtime: 0.024699
CF-RAY: 17acf20e65640944-DFW

Key Element:
Set-Cookie: _session_id=c4c21bd9ec0eb2b6f0ed53869cbc500b; path=/; HttpOnly

this has HttpOnly set but is missing the secure flag

Comment 8

3 years ago
Curtis: fair point. I've reached out to them about this.
You should also feel free to add them to this bug if that helps.

Comment 10

3 years ago
Yeah, I'll look into it. Too many middle-men at the moment. :-)

Comment 11

3 years ago
Curties, I can't add the UserVoice representative,  joey.pilot@uservoice.com, to this bug. Can you please help me with that?
Flags: needinfo?(curtisk)
(In reply to Robert Nyman from comment #11)
> Curties, I can't add the UserVoice representative, 
> joey.pilot@uservoice.com, to this bug. Can you please help me with that?

I looked in the admin screens and it does not appear that is a valid bugzilla account, in fact I can't find any for the @uservoice.com. They will have to sign up for a free bugzilla account with the given email before we can add them to the bug.
Flags: needinfo?(curtisk)

Comment 13

3 years ago
Thanks, I'll check back with him again.

Comment 14

3 years ago
Ok, Joey added to this bug now! Please continue the conversation.
Flags: needinfo?(joey.pilot)

Comment 15

3 years ago
One of our developers said this should not be a security issue because you are forcing SSL. Can we get some details about why it's still an issue when SSL is forced?
Flags: needinfo?(joey.pilot)
please define what you mean by forcing SSL?
Flags: needinfo?(joey.pilot)

Comment 17

3 years ago
when you go to ffdevtools.uservoice.com, you arrive at a secure HTTPS URL:https://ffdevtools.uservoice.com/forums/246087-firefox-developer-tools-ideas

per this setting in UserVoice:http://prntscr.com/4ycgvw
Flags: needinfo?(joey.pilot)
This doesn't actually prevent interception of the traffic since the server still listens on HTTP.  Once the server accepts the connection via an HTTP connection, the client will transmit an HTTP request that contains the cookies, then receive a 302 response.  The client then connects via HTTPS, retransmitting the same data over an HTTPS request.

I wasn't able to leverage this to access any personal data, but I am not sure if the same would hold true for actual authenticated accounts.
Keywords: sec-low, wsec-cookie

Comment 19

3 years ago
Axel, can you please work with uservoice to get this addressed.
According to comment #7, this bug is about a lack of Secure flag on the session id cookie.

I curl'd the url in question and got this:

$ curl -v "https://ffdevtools.uservoice.com/site/signin"
*   Trying 104.16.93.65...
* Connected to ffdevtools.uservoice.com (104.16.93.65) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* ALPN, server accepted to use http/1.1
* SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* 	subject: CN=ssl149278.cloudflaressl.com,OU=PositiveSSL Multi-Domain,OU=Domain Control Validated
* 	start date: Jan 04 00:00:00 2016 GMT
* 	expire date: Dec 31 23:59:59 2016 GMT
* 	common name: ssl149278.cloudflaressl.com
* 	issuer: CN=COMODO ECC Domain Validation Secure Server CA 2,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
> GET /site/signin HTTP/1.1
> Host: ffdevtools.uservoice.com
> User-Agent: curl/7.43.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: cloudflare-nginx
< Date: Fri, 26 Feb 2016 16:03:40 GMT
< Content-Type: text/html; charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: __cfduid=de495a7a3a70405041c5e57093d0daf081456502620; expires=Sat, 25-Feb-17 16:03:40 GMT; path=/; domain=.uservoice.com; HttpOnly
< Vary: Accept-Encoding
< Vary: Accept-Encoding
< Status: 200 OK
< X-Frame-Options: ALLOWALL
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-UA-Compatible: chrome=1
< X-Doge: wow
< P3P: CP="ALL DSP COR CURa ADMa DEVa OUR IND COM NAV"
< X-Rack-Cache: miss
< ETag: W/"b8accaa4a3d35acf99cc0d03cc6c359a"
< Cache-Control: max-age=0, private, must-revalidate
< Set-Cookie: _rf=0; path=/
< Set-Cookie: _session_id=3f4597c18ed53286e8e682bb9b177078; path=/; HttpOnly; Secure
< X-Request-Id: f65a677d-4893-431c-8a11-c7652d6e4a5c
< X-Runtime: 0.065046
< CF-RAY: 27ace1a0a7b721b6-EWR


That has the Secure flag on the Set-Cookie with the session id. Pretty sure that means this bug is fixed.

April: Does that sound right to you? If so, then I think we can close this out.
Flags: needinfo?(april)

Comment 21

2 years ago
Yep, that looks good to me.

The site should probably also set Strict-Transport-Security (HSTS) as well.
Flags: needinfo?(april)

Updated

2 years ago
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED

Updated

2 years ago
Group: websites-security
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.