I don't think hacking sites to do security activism is a good idea, at all. However, many people over a period of years said that this change needed to be made, in all of the friendly, ethical, polite OSS-approved ways. Tickets, blog posts, emails to security, etc etc. I got to the issue a few years late, saw the WillNotFix tickets, and wrote up - I kid you not - an on-dead-tree <i>journal article</i> which said:<p><i>[W]rite access to sensitive data should be limited to the maximum extent practical. A suitable first step would be to disable mass assignment, which should always be turned off in a public-facing Rails app. The Rails team presumably keeps mass assignment on by default because it saves many lines of code and makes the 15-minute blog demo nicer, but it is a security hole in virtually all applications.</i><p><a href="http://queue.acm.org/detail.cfm?id=1964843" rel="nofollow">http://queue.acm.org/detail.cfm?id=1964843</a><p>This doesn't justify the Bad Guys abusing third-party sites with this, but the Good Guys did everything right and did not achieve a fix as a result of doing so.
It still auto-adds the attr_accessible list which is nearly as bad as allowing mass assignment in the first place. At most it should add an informative comment, and the error message about being unable to mass assign attributes should be made better, possibly with a URL to the existing mass assignment Rails guide.
Good for Egor Homakov. I don't necessarily agree with his methods in this case, but in the end, the net result of his actions was positive for web security. And as so many others have pointed out, when the proper channels aren't working, sometimes a little spectacle is just what you need to instigate change.<p>In other news, I'm not sure why the rails core team was so against this in the first place. Making things safe by default is usually a good idea. This change doesn't seem to add too much additional ceremony, and people had been asking for this for some time.
Unfortunately people never learn from the past. Security holes directly traceable back to the design of C are still trickling out after 30 years. The entire construction of the web has failed to learn from this lesson. The whole design is "fail open", and one mistake ends with site credentials being dumped on pastebin.