According to foreign media reports, Aidan Marlin, a security engineer at Trainline, a London railway travel service company, discovered that contains thousands of Firefox cookie databases containing sensitive data in the GitHub repository . These data may be used to hijack authenticated sessions. .
These cookie.sqlite databases are usually located in the Firefox profile folder and are used to store cookies between browsing sessions. It can now be found by searching on GitHub using specific query parameters, which is the so-called "Github search dork".
Most of the currently affected GitHub users work in a public environment across multiple computers. When they submit code from the Linux home directory and push it to the public repository, the Sqlite database will be included.
Marlin confessed that when users submitted code and pushed it to the public repository, they did not actively prevent their cookies.sqlite database from being included, so the user who leaked the cookie was also responsible.
"But currently this GitHub dork has nearly 4,500 hits, so I think GitHub is also obliged to take this incident seriously and fix it."
However, Marlin was told by a GitHub representative that “the certificate disclosed by the user is not within the scope of the Bug Bounty program”, which means that Github has no plans to release a patch to fix this issue in the near future.
Marlin believes that GitHub does not take user safety and privacy seriously, and said that GitHub can at least prevent this GitHub dork from getting search results.
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。