1,897 Web Sites Affected by Ruby on Rails Vulnerability
Vulnerable sites include those for Kickstarter, Mozy, Urbanspoon and Warner Bros., among many others.
The flaw, which was first disclosed on September 24, 2013, lies in the fact that the CookieStore mechanism stores cookies on the client side without maintaining a corresponding entry on the server side, meaning that cookies "persist for life" and can be used to access an application even after it's thought to be terminated.
The risk, McNamara wrote at the time, is that "a malicious user could use the stolen cookie from any authenticated request by the user to log in as them at any point in the future."
Photo courtesy of Shutterstock.