Saturday, 30 November 2013

Thousands of websites based on Ruby on Rails vulnerable to Cookie Handling flaw

Thousands of websites based on Ruby on Rails vulnerable to Cookie Handling flaw
Ruby on Rails contains a flaw in its design that may allow attackers to more easily access applications. Websites that rely on Ruby on Rails’s default cookie storage mechanism CookieStore are at risk.

The vulnerability was actually reported two months ago, but still thousands of website are running a vulnerable version of Ruby on Rails that allows a malicious attacker to gain unauthorized access again and again without password, if someone manages to steal users' cookies via via cross site scripting or session sidejacking or with physical access. 
More than 10,000 websites are vulnerable to Ruby on Rails's cookie storage mechanism flaw, but this vulnerability requires your user's session cookies to be compromised in the first place.

Security researcher G.S. McNamara provided the details of the vulnerability in a blog post , he analyzed nearly 90,000 sites running specialized scripts and discovered 1,897 sites based on old versions of Ruby on Rails (version 2.0 to version 4.0) that stores users’ cookie data in plain text.


Another concerning issues related to the site analyzed is the lack, or wrong use, for SSL that allows communication eavesdropping.
The surprising fact that large companies such as crowdsourcing site Kickstarter.com, Paper.li, Simfy, Ask.fm and Audioboo, Warner Bros. are also vulnerable to this flaw.

Ruby on Rails implemented cookies encryption by default from version 4.0. The purpose of an encrypted, signed cookie is to make sure someone can't forge a cookie to impersonate someone else, but the cookie management still exposes users at risk of attacks.

Version 4.0 and beyond still have this problem,” “The attacker could save the encrypted cookie and send it to the server to log in as the victim without having to read the contents of the cookie.
Thousands of websites based on Ruby on Rails vulnerable to Cookie Handling flaw
The encryption does not protect against reusing the cookie after logout,” wrote McNamara.

This means that despite cookies are encrypted hacker could steal them to log-in to target vulnerable website that permit an attacker to reuse old session credentials or session IDs for the authorization process. The flaw is known as "Insufficient Session Expiration" and it is a serious issue for website management.

"Many of the websites and tools we use to store the session hash on the client side, including the applications Redmine, Zendesk, and Spiceworks."

How to discover is a website is using an older version of Ruby on Rails using CookieStore cookie-based storage mechanism?

According McNamara it is quite simple, an attacker simply has to search for the string “Bah7” at the beginning of the value of the cookies, A SHODAN search for this code will reveal tens of thousands of these vulnerable websites.

Leaking your cookies equals to giving people a temporary password to your accounts. NcNamara already requested to Rails developers to switch to a different cookie storage mechanism to fix the vulnerability, storing for example session information on the server side.

No comments:

Post a Comment