Wow, last week it was very busy in the ruby security annonuncement discussion group. A bunch of six new vulnerabilities were announced and, most of them, are cross site scripting issues. This is bad for a problem floating around those places since more than a decade.
UPDATE For a mistake this post appeared today on armoredcode.com without the text. Reason is that I created a placeholder to remember me to work on this.
I’ll fill with the text now. Sorry for this.
It finally happened. You discovered that your favourite online store website has a REST API to suggest usernames. It’s a common pattern to allow the user registration form to suggest alternatives username when the choosen one is already taken. This feature is so user-friendly, so userful that almost every project manager or sales representative will fight to have it online.
Most of times such kind of features allows attackers to enumerate legitimate usernames making account password guessing easier.
Tomorrow I’ll deliver a talk @SMAU, an Italian ICT… I don’t know how to describe it… may be expo can be good. It’s not a technical conference, well in Italy we don’t have a proper culture of having fun and interesting technical conference. A decade ago it was a broaden event open to customers and the main goal for visitors was to collect gadgets.
Now it’s open to ICT people, with vendors and sales vaporware men and few technical contents.
Mine is not.