CSRF Security Upgrade
Summary
A Ruby on Rails security upgrade was provided on February 8th to overcome a Cross-site request forgery (CSRF) vulnerability in the Rails provided CSRF protection. Ruby on Rails is the platform on which the Implications Wheel online is built.
Steps Taken
As of 2:36pm CST today, the Implications Wheel online was updated in production to incorporate the upgraded version of Ruby on Rails that eliminates this vulnerability. The necessary steps listed in the security bulletin were taken. Automated tests were built into the Implications Wheel test suite to verify that the steps were properly implemented to work with the changes in the CSRF protection.
Severity
Because of the safety measures in place on the Implications Wheel online, an attacker could not use CSRF to take over a user's account or to see content from a user's account. An attacker could only issue individual commands—for example, attempting to post spam links in the details of a center, spam messages in implications, etc.—with no way of knowing whether his attacks were successful.
Due to the nature of CSRF, it is not possible in the general case to determine whether CSRF has been perpetrated by inspecting server logs (CSRF works by tricking a user's browser into issuing a command to a site where that user is logged in, so it just looks like the user issued a command). However, given that:
- an attacker would have to craft an attack against a particular Implications Wheel resource id
- then lure an Implications Wheel user to a website containing that attack
- while the user is logged-in to the Implications Wheel
- and while that user has the right to modify that resource
- and that even a successful attack would not reveal any Implications Wheel data to the attacker
...it is extremely unlikely that any Implications Wheel accounts had CSRF perpetrated against them.
