Categories
personal

37signals writeboard app leaks customer project info

Today I got an email from a ruby group, where we got noticed of a flaw in writeboard.com. This is a web application for project teams to collaborate and communicate developed by 37signals, the company behind the ruby on rails framework.

I’ll quote the message of how this flaw got found and how you can test it yourself:

I was browsing and doing a google search casually, for finding info
about few people I met this week. I suddenly reached to a link
pointing to 123.writeboard.com/(something) , This page asks for
authentication! but Oooops google cache for the same page doesn’t!
unfortunately it presented me html of a whole communication of a team
regarding a product development of a well known company. That says
that google has cached those urls… It opened every thing the team
did for the project… (poor team, they blindly believed that their
ideas are safe!). I found that google has cached these set of urls
very recently…

if you want to test this…
follow these steps:

1.) go to google or gigablast and search for site:123.writeboard.com
or click here

2.) go to cached page of any result following url pattern similar to
123.writeboard.com/6412f6bf670e164bc/feed/c010fedd01c01896eb0fedd01adc8e

3.) You should see some content as html source… just create
wakeup37.html and copy this content, save and open in your browser

This is a huge security issue, and it really makes me think twice about third party hosted web applications for serious confidential work.

By Gabriel Saldaña

Gabriel Saldaña is a web developer, photographer and free software advocate. Connect with him on and Twitter