Msg#: 4626539 posted 11:34 am on Nov 28, 2013 (gmt 0)
Back in September, security researcher G.S. McNamara warned that certain Ruby on Rails versions were plagued by a vulnerability that allowed hackers to hijack user sessions. Last week, the researcher provided a list of website that were vulnerable.
This is known as insufficient session expiration weakness. The expert warns that this type of flaw is particularly dangerous on websites that donít use SSL. Ruby on Rails Cookiestore Vulnerability [news.softpedia.com]
Itís also worth noting that while only Ruby on Rails versions older than 4.0 donít encrypt cookies by default, cybercriminals can abuse even encrypted cookies to hijack accounts.