This week, online security analysis site ThreatPost outlined a security vulnerability in popular web development framework Ruby On Rails. According to ThreatPost, the vulnerability still affects as many as 2,000 web sites. The threat could allow hackers to log in as
Sites using an old version of Ruby on Rails that relies on CookieStore, the framework’s default cookie storage mechanism, are at risk. CookieStore saves each user’s session hash in the cookie on the client side, something that keeps each cookie valid for life. This makes it possible for an attacker to glean a user’s log-in information – either via cross-side scripting or session sidejacking – and log in as them at a later date.
Security researcher G.S. McNamara ran a script that surfaced 2,000 of 90,000 sites as being subject to the vulnerability. Kickstarter was included as one of the high-profile offenders along with UrbanSpoon.com and WarnerBros.com. The post does say that Kickstarter is aware of the issue. In short, Kickstarter was singled out but may not be the only platform affected.
More details are available at ThreatPost.