After the Rails exploit was announced I was jokingly mentioning to a friend that this will hit a few Bitcoin exchanges. Seems there are still exchange operators that haven't learned anything about the previous exploits.
Any exchange operator that didn't stop whatever they were doing, be it eating a sandwich or having a baby, and run to patch their servers has failed their user base completely.
An exchange operator that operates both the exchange its self and its web-facing front end from the same server(s). You really have to wonder what they were thinking?
While a front end compromise is always going to be bad, splitting the two gives you more options and more ability to spot when the front end is acting unusually.
