What's the cookie expiration time ? Does the server's session overlap it ? If it's pretty long :
Catch someone's computer backup (happy cloud) , import cookies -> same effect . If yes, I say it's a valid note ;) On 8 April 2013 18:19, Chris Roussel <[email protected]> wrote: > Dear Hackers, > > I've discovered what I think is a failure in GitHub.com login cookies: > > I installed the "Import Cookies" & "Export Cookies" plugins in my > firefox 20, then I signed in at github and exported my cookies, then I > signed out, I cleaned all the cookies in my browser and I started it > again, then I imported the cookies and I am login in without typing my > passwords, I've tried this with my google account, but there is clear > that when I signed out the info in the cookies was annulled, then it > appears like I am signed while I am searching, but if I want to check my > mail/drive I have to type my password. > > If you can reproduce this, tell to githubbers, if you can not let us know! > > I know, it is very difficult to catch my cookies while I'm on an https > session, but this is only a note. > > Best regards, > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
