So I commited in rails/rails repo I simply added a <input value=USER_ID name=public_key[user_id]> field to Public key update form, where USER_ID = 4223 (from https://api.github.com/users/rails). Backend didn't whitelist accessible attributes and had something like this: @key = PublicKey.find(params[:id]) @key.update_attributes(params[:public_key]) #Oh no! We passed public_key[user_id] of our victi