Follow the entire thread of discussion, right back to tptacek's original post, and the article itself.
The article's conclusion says, "... it is not a “giant bug”, it is much more subtle than that and requires a specific combination of code and circumstances to work. Most apps are not vulnerable."
To me, Thomas Ptacek appears to be suggesting that maybe there is more to this situation than meets the eye, and that maybe the article is not correct in making statements like, "Most apps are not vulnerable."
I merely pointed out that the Ruby on Rails community, in general, has a bad reputation when it comes to making claims. Often, the claims are shown to be complete nonsense.
If there is more to this vulnerability, and that it turns out that many Ruby on Rails apps actually are affected, then I wouldn't be surprised at all. I just hope that people do take this vulnerability seriously, contrary to what some articles may say, and do proper inspections of their Rails web apps.
I believe you've accidentally omitted the following important and relevant pieces from the article and the following author comments:
"There are other exploitable scenarios, but it really depends on what your app is doing. Since it is impossible to prove that something isn’t insecure, you should take the vulnerability seriously and upgrade anyway even if you think you aren’t affected." - article subsection "Summary: what is this vulnerability?"
"a leaked key is NOT necessary to exploit the bug" - author comment on the article.
"Another (unrelated) Rails vulnerability has been found today. That vulnerability has not been publicized yet, but suffice to say it is a very embarrassing and serious vulnerability that deserves immediate attention. Please keep your eye open on future advisories." - author comment on the article.
"Not disagreeing with you there. After all there's no way to prove that something doesn't exist. What's why I wrote that everyone should upgrade, just in case. :)
The goal of the article is not to defend Rails. It is to inform about the nature of the vulnerability and to replace the feeling of panic with rational thoughts." - author comment on HN
The article's conclusion says, "... it is not a “giant bug”, it is much more subtle than that and requires a specific combination of code and circumstances to work. Most apps are not vulnerable."
To me, Thomas Ptacek appears to be suggesting that maybe there is more to this situation than meets the eye, and that maybe the article is not correct in making statements like, "Most apps are not vulnerable."
I merely pointed out that the Ruby on Rails community, in general, has a bad reputation when it comes to making claims. Often, the claims are shown to be complete nonsense.
If there is more to this vulnerability, and that it turns out that many Ruby on Rails apps actually are affected, then I wouldn't be surprised at all. I just hope that people do take this vulnerability seriously, contrary to what some articles may say, and do proper inspections of their Rails web apps.