Today I got an email from a ruby group, where we got noticed of a flaw in writeboard.com. This is a web application for project teams to collaborate and communicate developed by 37signals, the company behind the ruby on rails framework.
I’ll quote the message of how this flaw got found and how you can test it yourself:
I was browsing and doing a google search casually, for finding info about few people I met this week. I suddenly reached to a link pointing to 123.writeboard.com/(something) , This page asks for authentication! but Oooops google cache for the same page doesn’t! unfortunately it presented me html of a whole communication of a team regarding a product development of a well known company. That says that google has cached those urls… It opened every thing the team did for the project… (poor team, they blindly believed that their ideas are safe!). I found that google has cached these set of urls very recently… if you want to test this… follow these steps: 1.) go to google or gigablast and search for site:123.writeboard.com or click here 2.) go to cached page of any result following url pattern similar to 123.writeboard.com/6412f6bf670e164bc/feed/c010fedd01c01896eb0fedd01adc8e 3.) You should see some content as html source… just create wakeup37.html and copy this content, save and open in your browser
This is a huge security issue, and it really makes me think twice about third party hosted web applications for serious confidential work.
The 37signals writeboard app leaks customer project info by Gabriel Saldaña, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Share Alike 2.5 Mexico License.
No related posts.
I'm a free software enthusiast, Emacs addict, tea drinker, amateur photographer and love rock music and extreme sports.
DefectiveByDesign.org | The Campaign to Eliminate DRM
FSF Member
Add to Technorati Favorites