• Critical Vulnerability and Privacy LoopHole Found in RoboForm Password Manager

    Unless you are a human supercomputer, remembering password is not so easy, and that too if you have a different password for each site. But luckily...
  • miniLock - Open Source File Encryption Tool from CryptoCat Developer

    It’s the age of surveillance what made the Use of Encryption so widely that it has become a need of law enforcement agencies, cyber criminals as...
  • A BEGINNERS GUIDE TO HACKING UNIX

      *************  *       A BEGINNERS GUIDE TO:        *  *        ...
  • CASH! CASH! Hacking ATM Machines with Just a Text Message

    As we reported earlier, Microsoft will stop supporting the Windows XP operating system after 8th April, apparently 95% of the world’s 3 million...
  • Microsoft Word Zero-Day Vulnerability is being exploited in the Wild

    Microsoft warned about a zero-day vulnerability in Microsoft Word that is being actively exploited in targeted attacks and discovered by the...
  • Snoopy Drone Can Hack Your Smartphones

    The use of unmanned aerial vehicles (UAVS) called Drones is rapidly transforming the way we go to war. Drones were once used for...
  • Android Privilege Escalation Flaws leave Billions of Devices vulnerable to Malware Infection

    Android - a widely used Smartphone platform offered by Google is once again suspected to affect its users with malicious software that puts...
  • Introduction to Netcat

    Introduction : So I was messing around on the internet and came across a tool called Netcat.  I've been messing with it for a couple of...
  • Google Nexus phone vulnerable to SMS-based DOS attack

    Google’s Nexus Smartphones are vulnerable to SMS-based DOS attack, where an attacker can force it to restart, freeze, or lose network...
  • Linux worm targeting Routers, Set-top boxes and Security Cameras with PHP-CGI Vulnerability

    A Symantec researcher has discovered a new Linux worm, targeting machine-to-machine devices, and exploits a PHP vulnerability...

Saturday, 30 November 2013

Thousands of websites based on Ruby on Rails vulnerable to Cookie Handling flaw

Thousands of websites based on Ruby on Rails vulnerable to Cookie Handling flaw
Ruby on Rails contains a flaw in its design that may allow attackers to more easily access applications. Websites that rely on Ruby on Rails’s default cookie storage mechanism CookieStore are at risk.

The vulnerability was actually reported two months ago, but still thousands of website are running a vulnerable version of Ruby on Rails that allows a malicious attacker to gain unauthorized access again and again without password, if someone manages to steal users' cookies via via cross site scripting or session sidejacking or with physical access. 
More than 10,000 websites are vulnerable to Ruby on Rails's cookie storage mechanism flaw, but this vulnerability requires your user's session cookies to be compromised in the first place.

Security researcher G.S. McNamara provided the details of the vulnerability in a blog post , he analyzed nearly 90,000 sites running specialized scripts and discovered 1,897 sites based on old versions of Ruby on Rails (version 2.0 to version 4.0) that stores users’ cookie data in plain text.


Another concerning issues related to the site analyzed is the lack, or wrong use, for SSL that allows communication eavesdropping.
The surprising fact that large companies such as crowdsourcing site Kickstarter.com, Paper.li, Simfy, Ask.fm and Audioboo, Warner Bros. are also vulnerable to this flaw.

Ruby on Rails implemented cookies encryption by default from version 4.0. The purpose of an encrypted, signed cookie is to make sure someone can't forge a cookie to impersonate someone else, but the cookie management still exposes users at risk of attacks.

Version 4.0 and beyond still have this problem,” “The attacker could save the encrypted cookie and send it to the server to log in as the victim without having to read the contents of the cookie.
Thousands of websites based on Ruby on Rails vulnerable to Cookie Handling flaw
The encryption does not protect against reusing the cookie after logout,” wrote McNamara.

This means that despite cookies are encrypted hacker could steal them to log-in to target vulnerable website that permit an attacker to reuse old session credentials or session IDs for the authorization process. The flaw is known as "Insufficient Session Expiration" and it is a serious issue for website management.

"Many of the websites and tools we use to store the session hash on the client side, including the applications Redmine, Zendesk, and Spiceworks."

How to discover is a website is using an older version of Ruby on Rails using CookieStore cookie-based storage mechanism?

According McNamara it is quite simple, an attacker simply has to search for the string “Bah7” at the beginning of the value of the cookies, A SHODAN search for this code will reveal tens of thousands of these vulnerable websites.

Leaking your cookies equals to giving people a temporary password to your accounts. NcNamara already requested to Rails developers to switch to a different cookie storage mechanism to fix the vulnerability, storing for example session information on the server side.

No comments:

Post a Comment