In this issue
- Get and compare the current Git branch in BASH
- New book of the month
- Don’t Make Me Think, 3rd Edition
- In the news
- PaperClip (Ruby on Rails) Insecure Defaults
- Yahoo user accounts compromised through third party database breach
- Buffer database compromised through compromise of MongoHQ support credentials
Get and compare the current Git branch in BASH
My favorite revision control system is Git. I use it to maintain all of my Ruby on Rails projects, my Linux system configuration, and even my blog.
In my web development work, I like to automate as much as possible with BASH shell and Ruby scripts. This makes my work easier by replacing repetitive tasks with simple commands and reduces the instances of certain classes of mistakes in my daily workflow. One of those mistakes that I would like to avoid is accidentally publishing a draft post to the live website.
For the full article, that includes code examples, see Get and Compare the Current Git Branch in BASH.
New book of the month
The 3rd edition of Steve Krug’s venerable Don’t Make Me Think, Revisited: A Common Sense Approach to Web Usability is out!
The 2000 edition is one of the first books that I read an usability back when I was first getting started in serious web development. I have the Kindle edition and look forward to reading the updated edition.
In the news
Paperclip Vulnerability (February, 2014)
There is an insecure defaults vulnerability in Paperclip, the RubyGem used by many Rails applications to handle image uploads. It will accept any type of file upload by default and a wise developer will restrict to only the types of content expected – jpg, png, pdf, etc. See Egor Homakov’s writeup at Paperclip vulnerability leading to XSS or RCE.
See Ruby on Rails devs beware: Paperclip has serious flaw for some analysis from SecurEncrypt News.
Kickstarter user database breached (February, 2014)
On Saturday, February 15, 2014 (yesterday at the time of this writing), Yancey Strickler announced that the Kickstarter user database was compromised on their blog post kickstarter.com/blog/important-kickstarter-security-notice.
According to the Mr. Strickler:
Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one.
Because people pick really, really terrible passwords and use the same password across multiple sites, this breach is going to lead to identity theft as the thieves access accounts on other services with the stolen credentials.
Yahoo database compromise (January, 2014)
On January 30, 2014, Yahoo announced that user accounts were compromised by a third party database compromise. The announcement is at yahoo.tumblr.com/…/important-security-update-for-yahoo-mail-users.
Tim Wilson has an analysis at the Dark Reading at darkreading.com/privacy/yahoo-reports-breach-of-customer-databas/240165877.
Buffer compromise and data breach (October, 2013)
Buffer, the social media tool, was compromised a few months ago in an attack that exposed secret access tokens and other data. The source of the breach was that a MongoHQ password of one of MongoHQ’s employees was stolen. Mongo’s support mechanisms gave them access to their client’s data and thus the compromise lead to the compromise Buffer’s database.
Read more about the breach on Buffer’s blog at open.bufferapp.com/buffer-has-been-hacked-here-is-whats-going-on/.
There are many lessons to learn from this, but a two key ones are (1) your database can be breached if your provider’s security is lax, and that (2) when building systems to support clients it is important to have multi-factor authentication and to compartmentalize access.
MongoHQ’s explanation of the events are on their blog at security.mongohq.com/notice.
Invitation to the Web Application Topics Newsletter
This is an archived issue of the Web Application Topics Newsletter. If you are interested in having future issues sent directly to your e-mail, please sign up for free, today. For back issues, see the Web Application Topics category on this blog.