Summary
We prompt users to re-enter the password when they visit the new API keys page. This ensures that an unattended session can't be exploited to create new API keys. It was possible to bypass this step by reusing the _rubygems_session cookie where the verification key was already set.
Impact
An attacker could create new API keys for the user if they also have access to a compromised user session. Note that this exploit does not have any impact on its own, the attacker needs to compromise the user session using an alternate method. The new API key page is only accessible if the user is already logged in.
Patches
Please check cf845fd5 for details for the patch.
laursisask Analyst
Summary
We prompt users to re-enter the password when they visit the new API keys page. This ensures that an unattended session can't be exploited to create new API keys. It was possible to bypass this step by reusing the
_rubygems_sessioncookie where theverificationkey was already set.Impact
An attacker could create new API keys for the user if they also have access to a compromised user session. Note that this exploit does not have any impact on its own, the attacker needs to compromise the user session using an alternate method. The new API key page is only accessible if the user is already logged in.
Patches
Please check cf845fd5 for details for the patch.