A new exploit, discovered by a white-hat hacker, puts users of over 2,000 Websites in danger of attack. Older versions of Ruby on Rails, a popular open source Web app, employ a defective session management system that could affect the users on the thousands of sites that use it.
G.S. McNamara, a security researcher based in D.C., first found the vulnerability issue back in September. The exploit is an Insufficient Session Expiration weakness, and McNamara says it’s fairly common. It’s especially dangerous for shared computers with lots of daily user turnover, such as in libraries or internet cafes.
The Ruby on Rails CookieStore by default in older versions of the app saves a user’s session cookies on the client side indefinitely. Ruby on Rails has no way to truly invalidate the user session, so the Web app can be accessed even after it’s been terminated. The vulnerability allows a malicious actor to use an XSS attack to steal the data from just one user cookie and illicitly log in to the Ruby Web app as the user. If that user happened to be logged into his bank account, for example, the hacker would be able to perform any number of unfortunate attacks under the victims’ guise.
The defect, a ‘child’ of the Broken Authentication and Session Management vulnerability, is number 2 in the OWASP Top 10, indicating the high risk nature of the problem. The report listed Broken Session Management as a widespread occurrence with only average detectability.
Looking through the list of vulnerable sites, some pretty recognizable ones pop out: KickStarter.com, the crowd funding site, jango.com, the internet radio player, paper.li, offering personalized online newspapers based on RSS feeds, and Fivrr.com, the site where people offer up services for $5, among about 1,892 other exposed sites. The list in not even exhaustive; these sites are just out of 90,000 sites that McNamara analyzed.
Even the newer versions of Ruby on Rails (4.0 and up) don’t fully solve the issue, though they do take the additional step of encrypting the cookies. An attacker, McNamara, wrote to Threatpost, could still save the cookie and use it to log in as the victim, without ever seeing the encrypted data.
How To Check If A Site Is Affected & How To Fix Your Ruby on Rails Site:
To check if a site could be vulnerable to attack, just look for a “Bah7” string at the beginning of your cookies’ value, McNamara advises.
McNamara advocates that developers working with Ruby on Rails should switch to a cookie storage tool that stores the cookie on the server, as opposed to the client side. Recommendations for better session expiration security overall are to ensure that your web apps automatically log users out after the user has been idle for a certain – short – period of time. In addition, log out buttons should be highly visible so as to promote correct log out practices.
- G.S. McNamara’s List of Websites Using Ruby on Rails’ CookieStore
- OWASP Top 10: A2 – Broken Authentication and Session Management