Missing User Warnings
Medium
- Confidence
- 93% confidence
- Finding
- The client saves authenticated session cookies to a local JSON file in plaintext, which can allow anyone with filesystem access to reuse the session and impersonate the user on 12306. In an automation skill context, these cookies are highly sensitive because they may bypass reauthentication and expose account actions and personal travel data.
