Session token in the url

RESOLVED INVALID

Status

()

Firefox
Untriaged
RESOLVED INVALID
14 days ago
11 days ago

People

(Reporter: Sudheer Chandra, Unassigned)

Tracking

58 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

14 days ago
Created attachment 8949642 [details]
Screen Shot 2018-02-09 at 12.12.04 PM.png

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36

Steps to reproduce:

Browsing through a website
Found an url of mozilla "https://services.addons.mozilla.org"
found the session token is included in the url


Actual results:

url
"/en-US/firefox/api/1.5/search/guid:jid0-hjBdm7jJii7llLkqacvGnd3gHge@jetpack,fortiext@fortinet.com,clearcache@michel.de.almeida,{972ce4c6-7e08-4474-a285-3208198ce6fd},firefox-compact-light@mozilla.org@personas.mozilla.org,firefox-compact-dark@mozilla.org@personas.mozilla.org
"


Expected results:

Placing session tokens into the URL increases the risk that they will be captured by an attacker
Seems unlikely that browsing through a random website would trigger a search on our addons site. Do you have any more specific steps?

In any case, there are no access tokens in that URL. That's a list of add-on IDs.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 11 days ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.