1,897 Web Sites Affected by Ruby on Rails Vulnerability

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Researcher G. S. McNamara, who disclosed a vulnerability in Ruby on Rails in September 2013, recently published a list of 1,897 Web sites that are affected by the flaw (h/t Threatpost).

The flaw, which was first disclosed on September 24, 2013, lies in the fact that the CookieStore mechanism stores cookies on the client side without maintaining a corresponding entry on the server side, meaning that cookies "persist for life" and can be used to access an application even after it's thought to be terminated.

The risk, McNamara wrote at the time, is that "a malicious user could use the stolen cookie from any authenticated request by the user to log in as them at any point in the future."

The list of affected sites includes those for Lomography, Kickstarter, Mozy, JibJab, Quirky, Spokeo, Urbanspoon and Warner Bros., among many others.