On one hand you have `update_attributes` - IMO you should just never use this (seems raganwald agrees), but hey, it exists and it can be useful for simple stuff. So on the other hand is `attr_accessible` - You need to specify what is allowed to be mass-assigned if you want to use mass-assignment. This stuff is covered in the basic Rails Guides (http://guides.rubyonrails.org/security.html#mass-assignment).
Saying that `update_attributes` is a security vulnerability doesn't really make sense... it's like if I said cars can accelerate to very unsafe speeds by default and this is a huge safely risk, ignoring the fact that cars also come with brakes :)
Pretty much every tutorial I can find on using controllers in Rails uses mass assignment, and the majority of them (including the beginners guide on guides.rubyonrails.org) don't mention attr_accessible or the security risk in allowing unrestricted mass assignment.
We're telling people to RTFM, but the FM doesn't say a thing about how this is dangerous.
If it was considered standard to avoid use of your brakes at all costs, and accelerate at maximum speed at all times, and this was reflected in the owner's manual - sure, I would think cars were unsafe.
It may not be mentioned in the beginner docs... I feel ok insisting that professional software developers read more than an intro to the framework they are using.
Also not mentioning it isn't the same as avoiding it 'at all costs'.
To continue the analogy: Sales person says "Look how fast this Ferrari can go!", then later, in the manual, "Drive at a responsible speed given your local laws, etc."
All that said I do actually think that changing the default to be more annoying and more safe is a good thing (and it's been done https://github.com/rails/rails/commit/06a3a8a458e70c1b6531ac...). Just saying that I agree with raganwald -- this isn't even close to a 'security vulnerability'.
Saying that `update_attributes` is a security vulnerability doesn't really make sense... it's like if I said cars can accelerate to very unsafe speeds by default and this is a huge safely risk, ignoring the fact that cars also come with brakes :)