ALERT: Backdoor code found in popular Ruby library

ZDNet is reporting that a specific version of the popular Ruby library bootstrap-sass has a backdoor that allows remote code execution. The library bootstrap-sass is a way to use the popular Bootstrap CSS framework with Ruby.

The infected code was found on RubyGems but not on GitHub where the source code for bootstrap-sass is managed.

This shows the importance of having signed keys and good security practices for free/open source projects. With Git and GitHub, developers can sign commits with a key to ensure only trusted developers are able to commit code to a project. This is very important for companies that are releasing open source. There is no need to harm your brand and reputation through the potential of a hacked developer account being used to commit backdoor code.

According to Snyk, a cybersecurity firm, around 1600 other code repositories may have been affected. Thankfully, this particular version of the backdoor code in bootstrap-sass has been downloaded 1477 times and was rapidly fixed.

More info at ZDNet:

This code, when embedded inside a Ruby or Ruby on Rails (popular Ruby framework), would load a cookie file and execute its content, according to a member of cyber-security firm Bad Packets, who confirmed the malicious nature of the library update for ZDNet.

bootstrap-sass backdoor

The backdoor was removed from RubyGems on the same day it was reported. The Bootstrap-Sass team also revoked access to RubyGems for the developer whose account they believed was compromised and used to push the malicious code.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.