14 DAY TRIAL // US-based security researcher and open-source developer Brian Mastenbrook announced on his blog that, for the last month, he worked together with security experts at RubyOnRails to repair an XSS vulnerability in its framework. On that same framework, Internet giants like Twitter, Basecamp, Highrise, Backpack, and Campfire were operating and actively presenting the same vulnerability.
Surprisingly, this security loophole had not been discovered by anyone else neither recorded as having its usage in the wild for harmful attacks. A renowned security expert and book author in the USA, Mr. Mastenbrook, quickly informed all the involved parties so a security patch could be released as soon as possible.
Inspiration in finding this security loophole came to Mr. Mastenbrook after previous work on a piece of software that had problems handling Unicode characters. Because of the time when he got the idea to test this same process on a web application Twitter was the current website in his browser, he went out to test a simple JavaScript snippet on the Twitter's front-end URL, packed with harmful Unicode characters.
After managing to hack Twitter, he went out to see whether this vulnerability was something specific only to Twitter or a general to the framework Twitter was built upon: RubyOnRails. After several tests, he found the same vulnerability on another Rails-driven website, 37signals' Basecamp.
Being one of security's white knights, Mr. Mastenbrook immediately informed the Rails development team, Twitter and the security department of 37Signals. To our delight, Twitter security learned its lesson from the recent attacks on the service and collaborated with the RubyOnRails team to quickly issue out a security patch for this problem.
On the other hand, it seems, as everyone can read from Mr. Mastenbrook's blog, that the guys from 37Signals have miserably failed to offer a quick response, and to add to their shame, someone in the customer support department has managed to ignore the importance of the message and argue over a period of days with Mr. Mastenbrook over “small details.”
The security patch issued by the RubyOnRails security team can be found here. It has already been applied on Twitter, so you hackers out there, “Don't get any ideas!”