Statement on Phishing Website
We recently learned that a website (ph-ombulabs dot com) is impersonating our company. They are unlawfully using our branding to take advantage of people who are looking for remote work.
Read more »We recently learned that a website (ph-ombulabs dot com) is impersonating our company. They are unlawfully using our branding to take advantage of people who are looking for remote work.
Read more »One of the first complications that most webapps of any complexity will run into is the need for privileged users who can do things that normal users can’t or shouldn’t be able to do. Before too long, you’re headed towards writing your very own administrative interface. This is not only extra work, but can be tricky to do without compromising the security of the application you’re administering. Most Rails developers will be familiar with this story, and Rails being Rails, it turns out that there are a couple of good options for extending your existing applications with a pre-generated, customizable admin console.
Read more »The internet is a wonderful place, but there will always be people that don’t have good intentions when they visit our websites. That’s why you need to be aware of the vulnerabilities that your application can have and how to avoid them. In this article I’ll cover two common security problems in Rails applications (I’ll probably make a second part since this is a very extensive topic).
Read more »If you are working with open source or if you are going to open source a repository, you should ensure that none of your sensitive data (API Keys, Credentials, Passwords) can be accessed by anyone.
One thing that a lot of people forget, is that this information stay forever in your repository history, if you do not rewrite the history of your repository.
Read more »When integrating Backbone.js in your Rails App, you might face the problem of the inability to verify the CSRF-Token.
The CSRF Protection secures your app with a token. Rails makes sure that the person who is interacting with your app is someone who started a session in your site, not some random attacker from another site. So you should not turn it off, unless you know what you are doing.
Read more »On April 17th we discovered a security vulnerability in the Mercado Pago API. Before disclosing this information, we contacted Mercado Libre and sent them a detailed report of the security hole and how to reproduce it.
The vulnerability allowed anyone to get an access token without using the right secret for an account.
Read more »The other day my friend Juan Rossi reported a vulnerability in the Almundo billing system. Since then, the vulnerability has been fixed by Superfactura, their billing software provider.
Almundo is one of the biggest travel agencies in Argentina. Their site is among the 250 most visited websites in the country.
The vulnerability allowed anyone to download billing information about their clients by creating a pretty simple HTTP GET
request. No programming knowledge required.