Feeds

THOUSANDS of Ruby on Rails sites leave logins lying around

Unexpired session cookies can be stolen, re-used

Using blade systems to cut costs and sharpen efficiencies

A security researcher has warned that a Ruby on Rails vulnerability first outlined in September is continuing to linger on the Web, courtesy of admins that don't realise a vulnerability exists in its default CookieStore session storage mechanism.

The weakness affects some big names, with the research turning up names like Warner Bros, Kickstarter, and the popular Tweet-aggregator tool Paper.li.

As US researcher G.S. McNamara detailed in September, the problem is that CookieStore retains valid session cookies at the client-side forever. This is referred to as an “insufficient session expiration” weakness.

That means if a malicious attacker were to steal the cookie from any authenticated request (via, for example, an XSS attack that gives the attacker access to a user's cookie store, but there's a host of other ways to get a copy of the cookie), they could use it to impersonate the victim and log into the Ruby Web app.

It also poses a risk for people using public terminals, or office computers that could be accessed by workmates.

As ThreatPost explained at the time, “the app issues a new cookie in the browser to overwrite the one that was created when the user was authenticated. Rails tells the browser to recognise that new cookie … but the old one still works, it hasn’t been invalidated and can’t be, by default”.

McNamara's recommendation is that admins should abandon CookieStore in favour of other mechanisms such as ActiveRecordStore – but his latest work finds that this isn't happening.

Instead, he's found 1,897 sites - including the names mentioned above - that are still using the weak CookieStore mechanism.

“This is not an exhaustive list,” he writes, “and there is future work to be done in detecting remotely the use of Rails’ CookieStore with encrypted values”. Django’s cookie storage is also bad at expiring cookies, and McNamara says he will continue the research to identify sites that haven't altered their cookie storage. ®

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.