A security bug (CVE-2015-8314) has been reported in Devise’s remember me system.
Devise implements the “Remember me” functionality by using cookies. While this functionality works across multiple devices, Devise ended-up generating the same cookie for all devices. Consequently, if a malicious user was able to steal a remember me cookie, the cookie could be used to gain access to the application indefinitely unless the user changed his password (which may not be a frequent event).
Although all Devise versions are vulnerable to this bug, the bug can only be exploited if the attacker can steal cookies in the first place. Regardless, we recommend all users to upgrade to the latest Devise version.
Devise 3.5.4 has been released with a fix. This release adds a timestamp to the cookie, guaranteeing cookies can be expired on a case-by-case basis instead of an all or nothing approach.
We also have made a patch available for those running on older versions.
We want to thank Alfredo Ramirez (firstname.lastname@example.org) from VSR for reporting the issue and working with us on a fix.