RubyOnRails XSS Vulnerability Claims Twitter, Basecamp And My Confidence

It was only three days ago that I wrote about the almost hopeless challenge of web security, specifically around new vectors with cross-site scripting attacks. Today came news that an XSS vulnerability had been found in the RubyOnRails development framework - and that applications built on the framework, such as Twitter and Basecamp , were vulnerable to XSS attacks. The vulnerability was discovered by Brian Masterbrook . He probed Twitter with some Unicode characters and found it vulnerable, tried the same thing on Basecamp and found it vulnerable, and then deduced that it must be a problem with RubyOnRails. He has an excellent and detailed write-up on his site about the process he went through. If you are running RubyOnRails anywhere, stop now and read his post as well as the security notice from the Rails developers and get your servers updated (the patch is in the notice, it will be in the release branch 'today or tomorrow'). TechCrunch50 Conference 2009 : September 14-15, 2009, San Francisco