RubyOnRails XSS Vulnerability Claims Twitter, Basecamp And My Confidence

Next Story

TomTom iPhone GPS kit delayed

you're gonna be ok

It was only three days ago that I wrote about the almost hopeless challenge of web security, specifically around new vectors with cross-site scripting attacks. Today came news that an XSS vulnerability had been found in the RubyOnRails development framework – and that applications built on the framework, such as Twitter and Basecamp, were vulnerable to XSS attacks.

The vulnerability was discovered by Brian Masterbrook. He probed Twitter with some Unicode characters and found it vulnerable, tried the same thing on Basecamp and found it vulnerable, and then deduced that it must be a problem with RubyOnRails. He has an excellent and detailed write-up on his site about the process he went through. If you are running RubyOnRails anywhere, stop now and read his post as well as the security notice from the Rails developers and get your servers updated (the patch is in the notice, it will be in the release branch ‘today or tomorrow’).

There are a few parts to this story. The first part is that it is great that Brian just happen to be one of the ‘good guys’. We find out about this vulnerability because he put the effort in to inform the parties involved and to get a fix out. We could have easily found out about this the hard way.

The second part is the poor response he got from the guys at Basecamp. I use Basecamp, I have two accounts there and we use it somewhat internally at Techcrunch. Not anymore. Their response to a major security issue does not inspire any confidence, at least not enough confidence that I would feel comfortable having my personal data residing on their servers (for more details on their response, see Brian’s post). Twitter I am not as concerned about – they seem to have their act together in terms of responding to issues promptly (they have had their fair share of security issues, no link required there I think). Brian originally discovered this issue almost a month ago – he seems to have spent a lot of time just communicating with these vendors.

Third part – learning from the mistakes of others. Point one would be: if you are a vendor of an application, get your shit together so that when one of the good guys wants to be able to tell you about a vulnerability he or she discovered, you don’t lose a day arguing about if an email had been sent or not (I am looking at you too Apple – that post will come later). ‘Getting your shit together’ involves having a clear contact page for security issues, a PGP key (afterall, you don’t want everybody reading about how your site is vulnerable), and perhaps a few lines of policy on what you will do if a security issue is discovered (‘its not our fault’ is not a policy).

Point two (of the third part – you following?) is about what developers can learn. If you scan the patch file that the RubyOnRails guys sent out you will see one word consistently popup in the code – ‘verify’. That is what this issue, and what almost all security issues, come down to – not trusting user data and making assumptions about what data your application will receive. The majority of applications take a blacklist approach – ie. check for that, check for this, filter, block, filter .. filter. The more correct approach is to assume that everything coming in from anywhere is going to completely screw you up, and then allow only what the application can handle and only what you expect. If your application is all in English, and you start seeing some funky Unicode characters that were previously only used by a long-forgotten African tribe – there is a safe bet that somebody is messing with you. Blacklist vs Whitelist.

Something else I noticed that has come out of this incident. The RubyOnRails notice attributes the cause of this vulnerability to:

“Due to the way that most databases either don’t accept or actively cleanse malformed unicode strings”

Oh, im sorry? Its the database! Remind me next time I pick a database server to use that I choose one that will filter and anticipate all my user data for me (hint: I was being a sarcastic, if you are a CIO who just picked up the phone to Oracle to ask for the XSS-proofing module, put the phone down). It is easy to shift blame – but this would be like the Microsoft IIS 4.0 team blaming Dennis Ritchie for all their buffer overflows.

We are going backwards with security. It is 2009 and vendors aren’t responding properly and blame is being shifted. In the meantime, RubyOnRails is now seeing a surge in downloads from Russia and various other places – not because those new users want to build apps, but because they want to own yours.

  • J Novak

    Actually, you mis-read the quote about how “most databases either don’t accept blah blah”. It is the case that the database SAVES RAILS, not that it’s to blame this problem. If you have a database and filter unicode through it, you’re safe(r).

    • José Valim

      @Novak is right. They say that almost all databases probably do not accept those UTF8 weird characters, so the database saves you at the end of the day.

      They *don’t* blame the database at any time.

    • Nik Cubrilovic

      you might be right – they say at the top its a vulnerability in the form helper, and in ‘impact’ talk about the db. reading now – thanks.

      • Brock Batsell


        Care to explain why, after being informed 8+ hours ago that your last paragraph is completely factually incorrect, and seeming to acknowledge that fact, the piece still stands uncorrected? That’s absolutely insane. The Rails security release doesn’t even remotely say what you claim it does; simple reading comprehension would have disclosed that.

      • sponge j

        It is cute, techcrunch giving advice on development. Add this one, don’t take development advice from techcrunch.

        Anyone using RoR is foolish. Anyone sensible from that community bailed long ago. Funny you mention the disinterest of the basecamp guys, since they are “the” RoR guys. They mainly care about cash and ego.

        Last bit of advice, techcrunch, you should bail on your RoR systems, future fail comming for you.

      • Tyler

        4 days later and still no correction. Keep it classy.

  • j user

    Nik, are you just trolling for attention with this article? For fun, I started googling web-dev frameworks to see which had XSS vulnerabilities. I ran out of time looking for one that didn’t.

    Your obviously just using this as an excuse to sling mud. Lame.

    • Nik Cubrilovic

      everything else also being vulnerable makes me feel better and explains why 37s handled this so well. thanks.

  • Nikolay Kolev

    Isn’t Twitter using Scala nowadays?

    • Nik Cubrilovic

      possibly middleware – they never confirmed it. the web is def still RoR

    • Paolo

      They started using Scala for some background jobs and liked it.

      This is an interview to the Twitter team

      Quoting from that article: “We find Ruby and Scala are very complementary. We use Ruby, actually specifically Rails, for things that it is very strong at. All the front end stuff that it does very well. […] our plan for the long run is to move more and more of our architecture into Scala. The vast majority of our traffic is API requests, and we want most of those to be served by Scala, either at an edge cache layer or a web application layer. Hopefully by the end of 2009 the majority of users’ interactions with Twitter are going to be Scala-powered. ”

      Don’t know at which point they are now but it seems to me that the front end (that is, the HTML pages) will be served by Ruby on Rails for the time being.

      • Nikolay Kolev

        Twitter’s front end is very simple. Probably it has more JavaScript nowadays than Ruby code – it’s not a big effort to port it to Scala’s lift, for example, and standardize entirely on one technology.

        Now, on the funny side… Ruby is being developed in Japan and historically has been having issues with Unicode that is designed to solve problems with non-English locales.

  • New Gadgets | RubyOnRails XSS Vulnerability Claims Twitter, Basecamp And My Confidence

    […] Original post by TechCrunchIT […]

  • Andrea Giammarchi

    I totally agree about “having a clear contact page for security issues” … but not only open source projects.
    For instance, I tried to contact both Microsoft and Ryanair ages ago for a serious security problem. No way to reach them, good stuff, huh? Dunno how many good guys there are here though, specially after negative responses like these.
    Good luck companies

    • http:/ Jonathan Cohen

      Ryanair would probably charge you $20 for the privilege of submitting a security report to them.

  • Ed

    It’s because we don’t have many real developers anymore. It’s all people cutting and pasting together snippets of code and building sites on top of frameworks they don’t understand.

    Why would a large traffic site like Twitter ever use a framework? The functionality of their site is so limited that they could hand-code the entire back-end of that site in a matter or days or weeks.

    The same applies to websites that simply keep dropping in huge bits of javascript everywhere to perform simple functions.

    • Nik Cubrilovic


    • Steve

      A framework makes development a heck of a lot easier, and saves an incredible amount of time.

      Thousands of people use off-the-shelf identikit WordPress installs and noone ever complains, yet someone goes off on their own to code their own site+application using a base framework that merely undertakes the most menial of tasks, and you complain that they’re not “real developers”.
      Why reinvent the wheel?

      I also *highly* doubt that a single developer or small development team would be able to code something more secure that RoR first time (unless they were actively focusing on the security issue).
      Every platform has security issues, we can only ever delay hackers, never stop them.

      • Nik Cubrilovic

        its about understanding the framework and what it does – not read howto + copy + paste

      • Rob Knight

        It’s still a bad argument. Developers always have to assume that the code they’re building on top of is secure. RoR is just one layer in a stack that includes Rails, a web server, a database server, the Linux OS and possibly all kinds of other software/hardware for load balancing, caching, proxying and so on. Yet nobody would suggest that it’s wrong to run a web app on Linux unless you understand exactly how it works. In fact, we generally measure technical progress by the number of things a person can do without having to understand exactly how they work.

        RoR is widely adopted, both commercially and non-commercially, tested by many people in many circumstances, and provides security comparable with any other web framework, and substantially more security than the default ‘no framework’ option. It has flaws, just like the rest of the stack will have flaws, but fixing them is the responsibility of whoever maintains that level of the stack, not the people who use it.

  • Calin

    Nice touch with the Reservoire Dogs image :)

    • Nik Cubrilovic

      “your gonna be ok!” :)

  • Jeremy Kemper

    We screwed up. Application security is not a customer support issue. See for my full response to Brian.

  • RubyOnRails XSS Vulnerability Claims Twitter, Basecamp And My … | Hack In The Box

    […] this article: RubyOnRails XSS Vulnerability Claims Twitter, Basecamp And My … Share and […]

  • Social Milestone » Blog Archive » RubyOnRails XSS Vulnerability Claims Twitter, Basecamp And My …
  • Bob Gregory

    If your database won’t accept UTF-8 then you’re in for a world of pain when you come to internationalise your app anyway. I can’t see why that’s a good thing.

    We recently spent a couple of weeks finding and killing XSS bugs in our code-base; next up is XSRF, which is even more of a killer. I’m not sure that XSS is a responsibility of a framework.

    PS. @Ed – you’re absurd. If you can write a scalable real-time many-to-many messaging service in a matter of days, I’ll give you a biscuit.

    • Nik Cubrilovic

      there are some frameworks that will give you a set of functions where you can allow certain classes of input (eg. A-Za-z0-9, all alpha-num plus some punctuation, some html tags etc.) these can come in handy. key is everything off by default and then whitelist. i have a list of regexp’s here i should post at some point – been using it for years.

      • Pete Austin

        People don’t only use Western European languages.

  • Paolo

    Nik, thanks for the info. I just patched a server of mine waiting for the official release.

  • Peter Smith

    not sure why Twitter gets off the hook. they took days to respond. didn’t respond. and then only responded when a security employee was contacted directly. is that supposed to inspire confidence?

    • marcus

      Yes, classic case of ‘who you know’. Ping a guy you know on the security team at Twitter = response. Put in a support ticket like any other person = crickets.

  • RubyOnRails XSS Vulnerability Claims Twitter, Basecamp And My Confidence

    […] By Techcrunch […]

  • itsnotvalid

    It is so true that white-listing is the real correct way on handling taunted data. Block everything, then open up things that get needed. Even if it would become too clumsy, it is just what developers have to live with.

  • Saravanan

    and this vulnerability did not affect IE 8 thanks to its built-in XSS filter says Arstechnica

  • oops

    almost as buggy as Omnidrive!

  • pffft

    I wonder why I never had these problems… Oh that’s right. I use java

  • Elton

    Some more insight into Twitter’s architecture.

    John Adams, “Fixing Twitter: Improving the Performance and Scalability…”

  • WHAZUP – iPhone MMS, Android Market, Opera 10, Snow Leopard, Wetoku

    […] Ruby On Rails XSS Vulnerability discovered Brian Masterbrook discovered a vulnerability on the uber-famous Ruby On Rails framework. The vulnerability impacted Twitter, Basecamp and the many applications written using Ruby On Rails. […]

  • Basecamp Review

    As a ruby developer and user of both Twitter and basecamp I appreciate you bringing this to our attention.

  • Week 36 in Review – 2009 | Infosec Events

    […] RubyOnRails XSS Vulnerability Claims Twitter, Basecamp And My Confidence – Today came news that an XSS vulnerability had been found in the RubyOnRails development framework. […]

  • If Web 2.0, then IT Security 2.0 « ::: Smart Oze Blog :::

    […] case we need some examples of the bad news, just in the last few days see here, here, here, and […]

  • Web Browsers Exploited by XSS Attacks « ROAM DATA Smart mCommerce News

    […] RubyOnRails XSS Vulnerability Claims Twitter, Basecamp And My Confidence ( mcommerce, mobile commerce   ECOMMERCE, FRAUD, HACK, m-commerce, MASTERCARD, mcommerce, mobile banking, mobile commerce, mobile payments, mobile phone, PCI, PIN DEBIT, ROAM DATA, ROAMDATA, SMARTPHONE, Triple DES DUKPT, VISA, Web Security   « Western Union Limitation Causing Big Problems    11 Charged in Minnesota Cloned Card Scheme » […]

blog comments powered by Disqus