A security researcher has warned that a Ruby on Rails vulnerability first outlined in September is continuing to linger on the Web, courtesy of admins that don't realise a vulnerability exists in its default CookieStore session storage mechanism. The weakness affects some big names, with the research turning up names like …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Thursday 28th November 2013 02:48 GMT btrower

I hate to say it, but

This is not unusual. Wacky security holes exist all over the place. Part of it is lack of understanding but part of it is just optimistic laziness. I confess that despite my knowledge in this area, I am still often an offender myself.

You can get an indication of the extent of the problem by looking at how often security warnings and updates happen in even old and well audited systems. You can also get an indication from subtle cues such as wide-spread misunderstandings of things like password strength.

We can never tighten this up without wide dissemination of understanding, agreement and ongoing audits to make sure that systems are actually secure against attack. We might not be able to defend against attacks from powerful adversaries like the NSA, but we can and should deflect trivial attacks on obviously deficient security.

The state of data security is woefully inadequate and may even be getting worse.

0 0
1. Thursday 28th November 2013 12:20 GMT Anon5000
  
  Re: I hate to say it, but
  
  The problem these days is that most new vulnerabilities are sold to world spy agencies instead of the full public disclosure we had in the past. So some holes stay open as the vendor is not aware a security fix patch is needed.
  
  Money has replaced kudos and fame for most of those researching bugs. Very rare to see mega exploits for popular web services these days on sites like exploit-db.com .
  
  It is possible to raise your profile in the security industry with tid-bits of disclosure as this Ruby Rails session issue has shown, Mis-configuration can happen to all of us but at least we have control over that area.
  
  0 0