Closed Bug 1436927 Opened 6 years ago Closed 6 years ago

Session token in the url

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
58 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: sudheerchandrajerry, Unassigned)

Details

Attachments

(1 file)

Screen Shot 2018-02-09 at 12.12.04 PM.png
192.53 KB, image/png
Details 
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36

Steps to reproduce:

Browsing through a website
Found an url of mozilla "https://services.addons.mozilla.org"
found the session token is included in the url


Actual results:

url
"/en-US/firefox/api/1.5/search/guid:jid0-hjBdm7jJii7llLkqacvGnd3gHge@jetpack,fortiext@fortinet.com,clearcache@michel.de.almeida,{972ce4c6-7e08-4474-a285-3208198ce6fd},firefox-compact-light@mozilla.org@personas.mozilla.org,firefox-compact-dark@mozilla.org@personas.mozilla.org
"


Expected results:

Placing session tokens into the URL increases the risk that they will be captured by an attacker
Seems unlikely that browsing through a random website would trigger a search on our addons site. Do you have any more specific steps?

In any case, there are no access tokens in that URL. That's a list of add-on IDs.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: