To address some of the possibilities of security holes on the Diaspora, authorization should first be verified before initiating any kind of sensitive action. The correct way to handle this is not merely assign this task to a library, it should access through the belief of a user who has logged in, and only through logging being able to access others.
It is possible for some software after logging in, the screen will exhibit @user which is a variable. To proceed with a printing action, it directs “@user.print_orders.find(params)id”, and in case of an attempt params having been hashed, the printer order cannot be found, resulting in generation of exceptions on the Active Record.
The above emphasizes importance of authorization. More importantly, as the user’s update is an insecure process, it may be able to acces their profiles and change them. On Diaspora, the Rails structure controls the content by default, which uses mass update, under which all attributes of update proceed to accept as input allowing all accessors to be named sequentially as symbols.
Objects’ database, as well as parameter names are updated in the process. This will open change of a user’s id, and allowing reassignment of user’s account, opening the possibility of taking over the user’s account, while impersonation becomes easy and the impersonator can get into the data at any time they wants. This far fetching action is due to picking up of the first entry by MongoDB bricks referring to the fact that if two people have similar IDs, an account can be controlled in a way that you cannot be determined.
More importantly, Diaspora, through its serialized key column, which in fact is their private/public serialized encryption pair of keys, can make use of encryption when conversing with each other, leaving open the possibility of the prying silent attacker to rewrite key pairs and generate their own key pair. Once the prying attacker knows a personal key pair, despite encryption, messages can be accessed by him.