Jan
09
2015
firefox security cookie monster bug

[ PLZ read my new blog post on the matter]

Today i came across to a very nasty security firefox bug: when using Pin Tabs, firefox doesnt remove the first (in alphabetical order domain) cookies.

I am using Firefox v34.0.5 so it’s the latest stable version as of the time of writing this blog post.

PLZ, Let me try to walk you through my findings.

Below my settings:

firefox_cookie_settings.jpg

As you can see, firefox should remove all the cookies when I close it.
I use Pin Tabs for my day-to-day web sites/apps.

I ‘ve noticed that I am always logged in to a specific web site.
That gave me the creeps. How the hell i am already logged in to this web site.
I have just opened up my firefox and firefox should have removed all the cookies!

I closed every opened/pinned tab and removed all cookies by hand.
Restarted firefox, logged in to this site and then closed firefox.
Opened up again firefox and there was no cookie.

Strange

I am now thinking that my morning coffee had vodka inside.

Pin Tabbed a few sites, logged in to all of them, restarted firefox and then i am still logged in only to this specific web site.
Opened up the “Show Cookies …” setting from preferences and show a few cookies. Restarted once more firefox and invest the cookies again. Still logged in to this specific site.

The “Show Cookies …” setting presents the domain cookies in alphabetical order. So that gave me a clue. The site starts from the letter C and is always the first one domain cookie.

OK, time to write some php cookie code to further investigate this issue.



<?php

if ( !isset ( $_COOKIE["aaaa"] ) ) { 
        $cookie_value = 0;
}

$cookie_value = ++$_COOKIE["aaaa"];
setcookie ( "aaaa" , $cookie_value , strtotime("+1 day")  );

?>
<html>
<body>
<?php
        echo "Hit F5<br>";
        echo "cookie value is: " . $_COOKIE["aaaa"];
            
?>
</body>
</html>

Keep in mind, that the visiting server must send the set_cookie within the html headers. Before the html body.

Closed everything, removed every cookie. UnPin every tab and restarted firefox.
Visited my php test page, show cookie value, restarted firefox. No cookie.

Opened up once again firefox, visited my php test page. “Pin Tab” the test page, hit F5 a few times and then restart firefox. A cookie !!!!

So there is a security bug.

I’ll try to pass this to my mozillian friends so they file a security bug report.

Remember if you are logged in to amazon via a Pin Tab … amazon will always track you as it would (perhaps) be the first (in alphabetical order) domain cookie.

Tag(s): firefox, bug, cookie