WarnerBros.com and Kickstarter.com Exposed Due to Ruby on Rails Vulnerability

Paper.li is one of the impacted websites

Back in September, security researcher G.S. McNamara warned that certain Ruby on Rails versions were plagued by a vulnerability that allowed hackers to hijack user sessions. Last week, the researcher provided a list of website that were vulnerable.

The security hole stems from the use of CookieStore, which holds the user session hash in the web browser as a cookie. However, even after a new cookie is created, the old one is still valid, which means that it can be used to hijack user accounts.

This is known as insufficient session expiration weakness. The expert warns that this type of flaw is particularly dangerous on websites that don’t use SSL.

McNamara has identified 1,897 Rails websites vulnerable to attacks. However, he explains that the vulnerability also affects the Django’s cookie-based session storage mechanism, so the actual number is likely much bigger.

Interestingly, while most of the vulnerable sites identified by the researcher belong to small companies, some of them are highly popular websites.

For instance, warnerbros.com, the website of the Warner Brothers studio; kickstarter.com, the famous crowdsourcing site; online photo community 500px.com; urbansppon.com, a site dedicated to restaurant reviews; and online newspaper creator paper.li.

McNamara has told ThreatPost that the owners of some impacted websites have been notified of the issue. However, not all of them have responded to his reports.

It’s also worth noting that while only Ruby on Rails versions older than 4.0 don’t encrypt cookies by default, cybercriminals can abuse even encrypted cookies to hijack accounts.

“The attacker could save the encrypted cookie and send it to the server to log in as the victim without having to read the contents of the cookie,” the expert told ThreatPost.

The researcher advises developers to use a cookie storage mechanism other than CookieStore in order to make sure their customers’ accounts are secured.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s