Action Controller in the actionpack gem has a flaw in the way it compares usernames and passwords in the basic authentication authorization code. Due to the flaw, attackers can launch a timing attack by analyzing the time taken by a response and use the difference to find a valid username and password.