Comments on: PayPerPost Is Now Officially Absurd

By: Web Browsers Exploited by XSS Attacks « ROAM DATA Smart mCommerce News

Web Browsers Exploited by XSS Attacks « ROAM DATA Smart mCommerce News — Thu, 25 Nov 2010 23:56:25 +0000

[...] RubyOnRails XSS Vulnerability Claims Twitter, Basecamp And My Confidence (techcrunchit.com) mcommerce, mobile commerce ECOMMERCE, FRAUD, HACK, m-commerce, MASTERCARD, mcommerce, mobile banking, mobile commerce, mobile payments, mobile phone, PCI, PIN DEBIT, ROAM DATA, ROAMDATA, SMARTPHONE, Triple DES DUKPT, VISA, Web Security « Western Union Limitation Causing Big Problems 11 Charged in Minnesota Cloned Card Scheme » [...]

By: If Web 2.0, then IT Security 2.0 « ::: Smart Oze Blog :::

If Web 2.0, then IT Security 2.0 « ::: Smart Oze Blog ::: — Tue, 30 Mar 2010 03:47:51 +0000

[...] case we need some examples of the bad news, just in the last few days see here, here, here, and [...]

By: Week 36 in Review – 2009 | Infosec Events

Week 36 in Review – 2009 | Infosec Events — Thu, 11 Feb 2010 10:42:19 +0000

[...] RubyOnRails XSS Vulnerability Claims Twitter, Basecamp And My Confidence – techcrunchit.com Today came news that an XSS vulnerability had been found in the RubyOnRails development framework. [...]

By: Basecamp Review

Basecamp Review — Wed, 20 Jan 2010 19:12:01 +0000

As a ruby developer and user of both Twitter and basecamp I appreciate you bringing this to our attention.

By: WHAZUP – iPhone MMS, Android Market, Opera 10, Snow Leopard, Wetoku

WHAZUP – iPhone MMS, Android Market, Opera 10, Snow Leopard, Wetoku — Mon, 07 Sep 2009 20:48:52 +0000

[...] Ruby On Rails XSS Vulnerability discovered Brian Masterbrook discovered a vulnerability on the uber-famous Ruby On Rails framework. The vulnerability impacted Twitter, Basecamp and the many applications written using Ruby On Rails. [...]

By: Tyler

Tyler — Sun, 06 Sep 2009 10:22:40 +0000

4 days later and still no correction. Keep it classy.

By: Nikolay Kolev

Nikolay Kolev — Sat, 05 Sep 2009 23:02:34 +0000

Twitter's front end is very simple. Probably it has more JavaScript nowadays than Ruby code - it's not a big effort to port it to Scala's lift, for example, and standardize entirely on one technology. Now, on the funny side... Ruby is being developed in Japan and historically has been having issues with Unicode that is designed to solve problems with non-English locales.

By: Elton

Elton — Sat, 05 Sep 2009 13:52:40 +0000

Some more insight into Twitter’s architecture.

John Adams, “Fixing Twitter: Improving the Performance and Scalability…”

http://velocityconference.blip.tv/file/2300327/

By: Paolo

Paolo — Sat, 05 Sep 2009 07:06:25 +0000

Depending on what application server you use you might have experienced XSS vulnerabilities with Java too. For example, this is one dating back to last July http://sunsolve.sun.com/search/document.do?assetkey=1-66-259588-1 on Sun Java System Web Server 6.1.
This one is of April, applying to Struts http://www.ca.com/us/securityadvisor/vulninfo/Vuln.aspx?ID=37269
Googling a little will find many more.

By: pffft

pffft — Sat, 05 Sep 2009 05:04:14 +0000

I wonder why I never had these problems… Oh that’s right. I use java

By: sponge j

sponge j — Sat, 05 Sep 2009 02:00:52 +0000

It is cute, techcrunch giving advice on development. Add this one, don’t take development advice from techcrunch.

Anyone using RoR is foolish. Anyone sensible from that community bailed long ago. Funny you mention the disinterest of the basecamp guys, since they are “the” RoR guys. They mainly care about cash and ego.

Last bit of advice, techcrunch, you should bail on your RoR systems, future fail comming for you.

By: Brock Batsell

Brock Batsell — Fri, 04 Sep 2009 16:44:51 +0000

Nik:

Care to explain why, after being informed 8+ hours ago that your last paragraph is completely factually incorrect, and seeming to acknowledge that fact, the piece still stands uncorrected? That’s absolutely insane. The Rails security release doesn’t even remotely say what you claim it does; simple reading comprehension would have disclosed that.

By: marcus

marcus — Fri, 04 Sep 2009 16:03:35 +0000

Yes, classic case of ‘who you know’. Ping a guy you know on the security team at Twitter = response. Put in a support ticket like any other person = crickets.

By: oops

oops — Fri, 04 Sep 2009 15:36:44 +0000

almost as buggy as Omnidrive!

By: Saravanan

Saravanan — Fri, 04 Sep 2009 15:20:52 +0000

and this vulnerability did not affect IE 8 thanks to its built-in XSS filter says Arstechnica
http://arstechnica.com/security/news/2009/09/ruby-on-rails-vulnerability-affects-twitter-ie8-immune.ars

By: Pete Austin

Pete Austin — Fri, 04 Sep 2009 13:26:13 +0000

People don’t only use Western European languages.

By: Jonathan Cohen

Jonathan Cohen — Fri, 04 Sep 2009 12:12:35 +0000

Ryanair would probably charge you $20 for the privilege of submitting a security report to them.

By: Rob Knight

Rob Knight — Fri, 04 Sep 2009 12:00:50 +0000

It’s still a bad argument. Developers always have to assume that the code they’re building on top of is secure. RoR is just one layer in a stack that includes Rails, a web server, a database server, the Linux OS and possibly all kinds of other software/hardware for load balancing, caching, proxying and so on. Yet nobody would suggest that it’s wrong to run a web app on Linux unless you understand exactly how it works. In fact, we generally measure technical progress by the number of things a person can do without having to understand exactly how they work.

RoR is widely adopted, both commercially and non-commercially, tested by many people in many circumstances, and provides security comparable with any other web framework, and substantially more security than the default ‘no framework’ option. It has flaws, just like the rest of the stack will have flaws, but fixing them is the responsibility of whoever maintains that level of the stack, not the people who use it.

By: itsnotvalid

itsnotvalid — Fri, 04 Sep 2009 11:59:35 +0000

It is so true that white-listing is the real correct way on handling taunted data. Block everything, then open up things that get needed. Even if it would become too clumsy, it is just what developers have to live with.

By: RubyOnRails XSS Vulnerability Claims Twitter, Basecamp And My Confidence

RubyOnRails XSS Vulnerability Claims Twitter, Basecamp And My Confidence — Fri, 04 Sep 2009 10:35:50 +0000

[...] By Techcrunch [...]