back to article THOUSANDS of Ruby on Rails sites leave logins lying around

A security researcher has warned that a Ruby on Rails vulnerability first outlined in September is continuing to linger on the Web, courtesy of admins that don't realise a vulnerability exists in its default CookieStore session storage mechanism. The weakness affects some big names, with the research turning up names like …


This topic is closed for new posts.
  1. btrower

    I hate to say it, but

    This is not unusual. Wacky security holes exist all over the place. Part of it is lack of understanding but part of it is just optimistic laziness. I confess that despite my knowledge in this area, I am still often an offender myself.

    You can get an indication of the extent of the problem by looking at how often security warnings and updates happen in even old and well audited systems. You can also get an indication from subtle cues such as wide-spread misunderstandings of things like password strength.

    We can never tighten this up without wide dissemination of understanding, agreement and ongoing audits to make sure that systems are actually secure against attack. We might not be able to defend against attacks from powerful adversaries like the NSA, but we can and should deflect trivial attacks on obviously deficient security.

    The state of data security is woefully inadequate and may even be getting worse.

    1. Anon5000
      Black Helicopters

      Re: I hate to say it, but

      The problem these days is that most new vulnerabilities are sold to world spy agencies instead of the full public disclosure we had in the past. So some holes stay open as the vendor is not aware a security fix patch is needed.

      Money has replaced kudos and fame for most of those researching bugs. Very rare to see mega exploits for popular web services these days on sites like .

      It is possible to raise your profile in the security industry with tid-bits of disclosure as this Ruby Rails session issue has shown, Mis-configuration can happen to all of us but at least we have control over that area.

This topic is closed for new posts.