Closed
Bug 1436927
Opened 6 years ago
Closed 6 years ago
Session token in the url
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: sudheerchandrajerry, Unassigned)
Details
Attachments
(1 file)
192.53 KB,
image/png
|
Details |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 Steps to reproduce: Browsing through a website Found an url of mozilla "https://services.addons.mozilla.org" found the session token is included in the url Actual results: url "/en-US/firefox/api/1.5/search/guid:jid0-hjBdm7jJii7llLkqacvGnd3gHge@jetpack,fortiext@fortinet.com,clearcache@michel.de.almeida,{972ce4c6-7e08-4474-a285-3208198ce6fd},firefox-compact-light@mozilla.org@personas.mozilla.org,firefox-compact-dark@mozilla.org@personas.mozilla.org " Expected results: Placing session tokens into the URL increases the risk that they will be captured by an attacker
Comment 1•6 years ago
|
||
Seems unlikely that browsing through a random website would trigger a search on our addons site. Do you have any more specific steps? In any case, there are no access tokens in that URL. That's a list of add-on IDs.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•