It has been reported that malicious users can do e-mail enumeration on sign in via timing attacks despite paranoid mode being enabled. Whenever you try to reset your password or confirm your account, Devise gives you precise information on how to proceed, if the e-mail given is valid, if the token has not expired and … »

We are glad to announce that Devise 3.1.0.rc is out. On this version, we have focused on some security enhancements regarding our defaults and the deprecation of TokenAuthenticatable. This blog post explains the rationale behind those changes and how to upgrade. Devise 3.1.0.rc runs on both Rails 3.2 and Rails 4.0. There is a TL;DR … »

July and August of 2013 will be a mark in the Plataformatec history as the time when we moved out from our green house in the Vila Madalena neighbourhood to a brand new office in the region of the Paulista Avenue. Our company has grown a lot in this year (we are about to pass … »

Devise has been reported to be vulnerable to CSRF token fixation attacks. The attack can only be exploited if the attacker can set the target session, either by subdomain cookies (similar to described here) or by fixation over the same Wi-Fi network. If the user knows the CSRF token, cross-site forgery requests can be made. … »

Rafael França shows how Plataformatec manages the development setup using Boxen, a tool created on top of puppet to automate machine setups.

When people talk about mirroring a git repository, usually we have a simple answer in mind: Just git clone the repo and you’re set!! However, what we want with mirroring is to replicate the state of an origin repository (or upstream repository). By state, we mean all the branches (including master) and all the tags … »