Flaw in Ruby on Rails

A security flaw was exposed last week in Ruby on Rails (RoR), an open source framework for web applications used by several hundred thousand web developers worldwide, in a way that, though successful in bringing the flaw to public notice, might have irked quite a few people who work in the web hosting and development industry. Egor Homakov, a Russian "white-hat" hacker, warned the RoR developer community about the 'mass assignment' flaw and then used that flaw a few days later to take over administrative control of GitHub, a important web site involved in the distribution of open source software packages, for about a hour before GitHub administrators patched their systems to close the flaw.

GitHub, launched in 2008, is a hosting service for web application development. The name of the site is derived from its use of the Git revisioning system that controls the code versions of the many open source packages stored there. Last year, GitHub announced that the web site had over two million code repositories and over one million enrolled users.

Ruby on Rails is based on the Ruby programming language, first introduced in 1995. RoR first appeared in 2004 and became open source in 2005. In 2009, Apple shipped RoR with Mac OS X v10.5, otherwise known as Snow Leopard, to help web developers build OS X applications. The latest version of RoR is 3.1, released in August 2011. Currently, close to a quarter-million web sites run applications based on RoR.

The RoR 'mass assignment' flaw allowed Homakov to replace the cryptographic key of a key contributor to the site with one that gave Homakov that contributor's identity and rights, giving Homakov write access to the web site's code repository for Ruby on Rails. To make his presence as an illegal admin prominent, Homakov posted bug tracker entries in the GitHub bug tracker systems with dates in the year 3013.

Two days previous to his takeover, Homakov had posted warnings about the flaw on RoR forums, the responses being only a storm of comments and very little action, despite his explicit statements about the severe consequences for web sites that did not repair the vulnerability. After the takeover was negated, Homakov was temporarily suspended from the GitHub web site, but then soon after was reinstated, with equal numbers of open source developers condemning and praising him.

Important voices in the open source community have stated that, though they do recognize that it's unlikely to expect action based on simple warnings, they still worry that developers must use their sense of social and moral responsibility when attempting to publicize the seriousness of a discovered flaw. The compromise between warnings and actions must be a policy of responsible disclosure, they say.

Kimberly Dovander

Kimberly is the pro blogger in the WHS family. News about the web hosting industry is what knows the best. Send her a question, or a drop a line in the comment section below, and she'll get back to you.

Add Your Thoughts

2013-05-17

Increased Denial-of-Service Attacks
Denial-of-service (DoS) attacks, also known as distributed denial-of-service (DDoS) attacks, are hitting more and more web sites and hitting them so often now that some have taken to treating the attacks as just...

0Comment
2013-05-16

American Public Utilities Still Internet-Vulnerable
Though some monumental cyber-attacks involving millions of dollars in losses for financial institutions have been in the news lately, experts in computer security are saying in a research study just issued that ...

0Comment
2013-05-14

Files for 3-D Gun Printing Allegedly Illegal
The Internet has long been a source for material that can easily be considered illegal, such as graphic pornography or criminal activity. Anyone who provided storage space or access to such files could be ordere...

0Comment
2013-05-13

Adobe Products Go to the Cloud
More and more of the functionality that runs today's world is making its way to the Internet cloud, a trend that means an ever-growing need among the American public for secure fast reliable access to the Intern...

0Comment
2013-05-10

Senate Passes Bill on Internet Sales Tax
The Senate of the United States Congress passed a bill on Monday that will allow each state throughout the U.S. to collect whatever sales tax they deem appropriate for online sales made to state residents, even ...

0Comment
2013-05-07

How Google Fiber Comes to Town
So far, Google Fiber is only being rolled out in two cities in the United States, the first in the Kansas City metropolitan region that spans the border between Kansas and Missouri and the second in Austin, Texa...

0Comment
2013-05-03

WWW Is Now 20 Years Old!
This week, the World Wide Web celebrated its 20th birthday. Strictly speaking, the Internet network created for information sharing among universities and other groups had been around since the 1960s and the ver...

0Comment
2013-05-02

The Future of Skype, Lync and Outlook
The growth and sophistication of unified communications (UC) systems that connect via the Internet with full audio and video is ramping up to new levels. The popular Skype communication service, now owned by Mic...

0Comment
2013-05-01

Lessons From the LivingSocial Hack
It turns out that the hack attack on the social couponing site LivingSocial may become a lesson for those people who try to keep their online lives simple by using the same password for every sign-on. Yes, it is...

0Comment
2013-04-26

Converging Paths for Social Networking
Three paths are converging on the business use of social networks on the Internet. First, employers are being barred by new state laws from asking for access to employee Twitter and Facebook accounts. Second, Wa...

0Comment