Hacker News new | ask | show | jobs
by samuelkadolph 4857 days ago
What a load of crap. The chances that github doesn't call reset_session are zero which means this doesn't work.
2 comments
niggler 4857 days ago
Given the first vulnerability, which stemmed from poor defaults in Rails and Github using said defaults, I wouldn't be surprised if it were affected by this.
link
samuelkadolph 4857 days ago
Not using attr_accessible is a lot different than not using reset_session after authenticating a log in. It's very easy to forget or not notice a model missing some whitelisting but to roll your own authentication code with zero security investment is just stupid and I would be extremely surprised if GitHub doesn't do it.
link
homakov 4857 days ago
> different than not using reset_session after authenticating a log in

if it's obvious for you — you are good at security. But it is NOT a common sense to use reset session

link
homakov 4857 days ago
why should it call reset_session, my little sweet troll?
link
homakov 4857 days ago
i say more: this vuln worked fine. wait. github is STILL vulnerable. and i have an exploit
link
samuelkadolph 4857 days ago
You offered no proof that this actually works and being defeated by a reset_session makes it way more likely it doesn't work.
link
homakov 4857 days ago
i tried it on me and on friends, it works

want a personal proof? $3000.

link
cwiz 4857 days ago
ты охуенен.

your posts are so entertaining, keep it up

link
masterrr 4857 days ago
Окай
link