Pierluigi Paganini
November 28, 2013
Ruby on Rails, “hit an open source web application framework to compromise a wide audience”, this is the thought of attackers that desire who want to hack the highest number of web sites.
A security issue inside cookie-based storage mechanism of Ruby on Rails could expose at least 2000 websites, this is the number of sites based on an old version of the framework that relies on the framework’s default cookie storage mechanism known as CookieStore.
Ruby on Rails CookieStore mechanisms saves user’s session hash in the cookie on the client side, a hacker via cross site scripting or session sidejacking could steal user’s log-in information and use them to successive log in impersonating the victims.
Security researcher G.S. McNamara provided the details of the vulnerability in a blog post , ha analyzed nearly 90,000 sites running specialized scripts and ha has discovered 1,897 sites based on old versions of Ruby on Rails (version 2.0 to version 4.0) that stores users’ cookie data in plain text. Another concerning issues related to the site analyzed is the lack, or wrong use, for SSL that allows communication eavesdropping.
Surprising the fact that within the vulnerable websites McNamara found also large companies such as crowdsourcing site Kickstarter.com, a site that belongs to the motion picture studio Warner Brothers (WarnerBros.com) and restaurant review site Urbanspoon.com, in particular Kickstarter is an example of improper use of SSL. Kickstarter is one of the websites that intentionally doesn’t use SSL during the the entire time a user is logged in.
Ruby on Rails implemented cookies encryption by default from version 4.0, but the cookie management still exposes users at risk of attacks, for example of victim’s personation.
“Version 4.0 and beyond still have this problem,” “The attacker could save the encrypted cookie and send it to the server to log in as the victim without having to read the contents of the cookie.”
“The encryption does not protect against reusing the cookie after logout,” wrote McNamara.
This means that despite cookies are encrypted hacker could steal them to log-in to target vulnerable website that permit an attacker to reuse old session credentials or session IDs for the authorization process. The flaw is known as “Insufficient Session Expiration” and it is a serious issue for website management.
“Many of the websites and tools we use store the session hash on the client side, including the applications Redmine, Zendesk, and Spiceworks.”
How to discover is a website is using an older version of Ruby on Rails using CookieStore cookie-based storage mechanism?
According McNamara it is quite simple, an attacker simply has to search for the string “Bah7” at the beginning of the value of the cookies, A SHODAN search for this code will reveal tens of thousands of these vulnerable websites: www.shodanhq.com/search?q=BAh7*.
NcNamara has proposed in the post a list of vulnerable websites based on Ruby on Rails, he also already requested to Rails developers to switch to a different cookie storage mechanism to fix the vulnerability, storing for example session information on the server side.
(Security Affairs – Ruby on Rails, cyber security)
