It looks like homakov had a little fun with it (the guy who griefed github a bit half a year ago with their whitelisted attributes vulnerability and got the rails core team to put whitelisting on by default).