Summary

mfa_user key from rails session is used for prompting the user with the OTP verification page after password verification. The value of mfa_user was the user handle string which can be updated after creating the account. An attacker could save the session value, update their handle and later reuse the session to sign in to the user's account.

Note that for this to work following requirements has to be met:

• attacker has access to the user's OTP keys
• the attacker was able to save the session before the user signed up to rubygems.org and claimed the user handle

Impact

No known impact. The requirements for this attack are non-trivial. The attacker has to correctly guess the handle of a user who might sign up to rubygems.org in the future.

Patches

We have updated mfa_user value to use the user id, which can't be changed. Check 86219b1 for more details.

Details

The following sequence of events has to occur in the exact order for this attack to work. Let's say the user handle is test.

• Attack signs up to rubygems.org with handle test
• Attacker enables MFA and saves the value of _rubygems_session from OTP page.
• Attacker changes their handle to test2
• User signs up to rubygems.org with handle test and enabled OTP
• Attacker gains access to user OTP with some other method
• Attacker sends a request to rubygems.org with previously saved _rubygems_session and valid test user OTP