Closed Bug 1463201 Opened 6 years ago Closed 6 years ago

Session token in URL

Categories

(Toolkit :: Add-ons Manager, defect)

Product:
Toolkit
Component:
Add-ons Manager
Version:
61 Branch
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: zishanahamedthandar, Unassigned)

References

Details

Attachments

(1 file)

Screenshot from 2018-05-21 22-55-08.png
135.47 KB, image/png
Details
I am logged in to my firefox account and intercepting requests on firefox browser. firefox sync automatically sent some request. One of the request look like this, https://services.addons.mozilla.org/en-US/firefox/api/1.5/search/guid:%7Ba6a5b521-62f8-48c1-ad86-702fd9f0e2c8%7D,%7Bc4da51f2-0180-4723-a92e-a4c4c0390c5f%7D,%7Bc45c406e-ab73-11d8-be73-000a95be3b12%7D,%7B2e084b0a-695c-4c75-adb0-08e5ed15aa7c%7D,%7Bc1970c0d-dbe6-4d91-804f-c9c0de643a57%7D,%7B9c51bd27-6ed8-4000-a2bf-36cb95c0c947%7D,jid1-xmjXYxrsJIAtCw%40jetpack,csrffinder%40piyushpattanayak.com,%7BF5DDF39C-9293-4d5e-9AA8-E04E6DD5E9B4%7D,client%40anonymox.net,xssme%40security.compass,%7Bbb6bc1bb-f824-4702-90cd-35e2fb24f25d%7D,%7BDDC359D1-844A-42a7-9AA1-88A850A938A8%7D,%40checkwpversion,%7Be968fc70-8f95-4ab9-9e79-304de2a71ee1%7D,foxyproxy%40eric.h.jung,firebug%40software.joehewitt.com,toggleproxy%40quirkyquipu.co.uk,%7B2B5E9984-75A1-11E5-963A-2E7C1D5D46B0%7D,%7B454867e3-7f62-bd5d-a26d-5d98e7e50fec%7D,eliteproxyswitcher%40my-proxy.com,sqlime%40security.compass,%7Bea4637dc-e014-4c17-9c2c-879322d23268%7D,jid1-2B1RkgHEZ0DcWA%40jetpack,jid1-93WyvpgvxzGATw%40jetpack,jid0-hjBdm7jJii7llLkqacvGnd3gHge%40jetpack,foxyproxy-basic%40eric.h.jung,%7Bb1b44d90-949c-45cb-b9cc-43c1bc8eede3%7D,jid0-jJRRRBMgoShUhb07IvnxTBAl29w%40jetpack,%7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D,exif_viewer%40mozilla.doslash.org,wappalyzer%40crunchlabz.com,%7Bb9acf540-acba-11e1-8ccb-001fd0e08bd4%7D,user-agent-switcher%40ninetailed.ninja,uBlock0%40raymondhill.net,%7Bd10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d%7D,firefox-compact-light%40mozilla.org%40personas.mozilla.org,firefox-compact-dark%40mozilla.org%40personas.mozilla.org The notable thing is that some my personal details and session tokens transmit over url. ========================= The URL in the request appears to contain a session token within the query string: https://services.addons.mozilla.org/en-US/firefox/api/1.5/search/guid:%7Ba6a5b521-62f8-48c1-ad86-702fd9f0e2c8%7D,%7Bc4da51f2-0180-4723-a92e-a4c4c0390c5f%7D,%7Bc45c406e-ab73-11d8-be73-000a95be3b12%7D,%7B2e084b0a-695c-4c75-adb0-08e5ed15aa7c%7D,%7Bc1970c0d-dbe6-4d91-804f-c9c0de643a57%7D,%7B9c51bd27-6ed8-4000-a2bf-36cb95c0c947%7D,jid1-xmjXYxrsJIAtCw%40jetpack,csrffinder%40piyushpattanayak.com,%7BF5DDF39C-9293-4d5e-9AA8-E04E6DD5E9B4%7D,client%40anonymox.net,xssme%40security.compass,%7Bbb6bc1bb-f824-4702-90cd-35e2fb24f25d%7D,%7BDDC359D1-844A-42a7-9AA1-88A850A938A8%7D,%40checkwpversion,%7Be968fc70-8f95-4ab9-9e79-304de2a71ee1%7D,foxyproxy%40eric.h.jung,firebug%40software.joehewitt.com,toggleproxy%40quirkyquipu.co.uk,%7B2B5E9984-75A1-11E5-963A-2E7C1D5D46B0%7D,%7B454867e3-7f62-bd5d-a26d-5d98e7e50fec%7D,eliteproxyswitcher%40my-proxy.com,sqlime%40security.compass,%7Bea4637dc-e014-4c17-9c2c-879322d23268%7D,jid1-2B1RkgHEZ0DcWA%40jetpack,jid1-93WyvpgvxzGATw%40jetpack,jid0-hjBdm7jJii7llLkqacvGnd3gHge%40jetpack,foxyproxy-basic%40eric.h.jung,%7Bb1b44d90-949c-45cb-b9cc-43c1bc8eede3%7D,jid0-jJRRRBMgoShUhb07IvnxTBAl29w%40jetpack,%7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D,exif_viewer%40mozilla.doslash.org,wappalyzer%40crunchlabz.com,%7Bb9acf540-acba-11e1-8ccb-001fd0e08bd4%7D,user-agent-switcher%40ninetailed.ninja,uBlock0%40raymondhill.net,%7Bd10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d%7D,firefox-compact-light%40mozilla.org%40personas.mozilla.org,firefox-compact-dark%40mozilla.org%40personas.mozilla.org?src=firefox&appOS=Linux&appVersion=59.0.1&tMain=3959&tFirstPaint=27188&tSessionRestored=46291 =================================== Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.
A few things: 1) Internally, this is an addons API, see https://developer.mozilla.org/en-US/Add-ons/AMO/Add-ons_manager_API . Specifically, it's using the 'search' endpoint to get information for the add-ons you (presumably) have installed. I'm not super familiar with the add-ons manager code in question. It looks like it gets called from sync when installing add-ons based on your firefox account information (ie to "sync" add-ons from one copy of Firefox to another) and used to get called for background update checks. 2) There are no session tokens in that URL - there are only ids of the extensions for which it's looking for information. The other data: src=firefox&appOS=Linux&appVersion=59.0.1&tMain=3959&tFirstPaint=27188&tSessionRestored=46291 are that you're making the request from Firefox 59.0.1 on Linux (which is in the UA header anyway), and some timestamps about when particular bits happen. That code has already changed in Firefox 60 (current release) and doesn't look like it's passing those values anymore. This happened as part of bug 1402064. So there are no session tokens or other bits that are personal, and even if you do feel that performance metrics are personal, we no longer send them (as far as I can tell, anyway). So I think this can be closed. FWIW, (In reply to zishanahamedthandar from comment #0) > Sensitive information within URLs may be logged in various locations, > including the user's browser, the web server, and any forward or reverse > proxy servers between the two endpoints. The information is transmitted over https (TLS/"SSL"). The IDs of add-ons are the most specific bit of information, but I would say that if you have proxies that you're using even for encrypted connections over https, that actually MITM the encryption bits (which would be the only way they could see the full URLs) then you have bigger privacy issues (as they can see the full contents of requests then anyway, so moving information to POST wouldn't help, and they could see all your other browsing data as well...). Ditto for anything going on inside the web browser, or any other logging that (per your assumptions) has access to the encrypted portions of these https requests. > URLs may also be displayed > on-screen, bookmarked or emailed around by users. I don't see how this would ever reasonably happen given these requests are in the background and not user-initiated. Fortunately, they contain no personal information anyway (only which add-ons the user is using). If you're inspecting your own requests and then somehow reposting them over email or on public websites, I'm not convinced that moving the data to POST or something would make a difference - at that point you're likely to be using pcap or HAR files which would include other request data, too, and you should exercise due diligence about what requests are captured accordingly. Fortunately, again, I don't believe these requests contain personal (like names/email addresses etc.) or security-sensitive information like session tokens. > They may be disclosed to third parties via the Referer header when any off-site links are followed. > Placing session tokens into the URL increases the risk that they will be > captured by an attacker. Same here.
Blocks: 1402064
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Component: Sync → Add-ons Manager
Product: Firefox → Toolkit
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: