Major websites such as Kickstarter,
WarnerBros.com and the online photography community 500px.com are among
2,000 at risk from a vulnerability that could allow attackers to
impersonate real users and access their sites, according to a
researcher.
The vulnerability affects sites using Ruby on Rails, a
popular open-source web development framework, built, it claims, for
“programmer happiness”.
The researcher who initially uncovered the vulnerability has
published a list of affected websites this week, including the major
names mentioned above, and other popular sites and apps such as My
Fitness Pall. The full list is published here on Maverick Blogging.
Researcher G S McNamara has offered to help development
teams with the issue, which affects older versions of Ruby on Rails –
and has notified sites including KickStarter. McNamara is continuing to
research the issue.
The weakness was first uncovered in September, The Register reports, and theoretically allows attackers to impersonate users who have previously logged in.The problem was uncovered by researcher G S MacNamamara, and is due to the web app’s failure to delete users’ details, stored as cookies, when they leave. MacNamara says, “a malicious user could use the stolen cookie from any authenticated request by the user to log in as them at any point in the future. When a user logs out what happens is not what you would expect. The previous cookie is still valid.”
McNamara describes this as “logout” being “broken by
default”, and says that users who fail to lot out of a site when they
leave would face particular difficulties. He recommends users change
passwords, or admins change the application. The vulnerability is no
longer present in Rails versions 4.0 and later.
Threatpost
commented that, “As you can imagine, when a user is working on an
untrusted network connection or is sharing a computer with someone else,
it makes their session extremely vulnerable.”
No comments:
Post a Comment