Tech

Backdoor code found in popular Bootstrap-Sass Ruby library

Bootstrap-Sass Ruby library had been downloaded more than 28 million times. Backdoored version only 1,470 times.

Written by Catalin Cimpanu, Contributor April 4, 2019 at 6:35 p.m. PT

Backdoor code was found added in a popular Ruby library used for frontend user interfaces inside Ruby and Ruby on Rails applications. The malicious code was removed via a library update.

Security

The library affected by this incident is Bootstrap-Sass, a Ruby package that provides developers with a Sass-version of Bootstrap, the most popular UI framework for developers today.

The backdoor's existence came to light on March 27, last week, when software developer Derek Barnes spotted that someone had removed a version of the library (Bootstrap-Sass v3.2.0.2) and immediately released a new version, moments later, v3.2.0.3.

What drew Barnes attention to this version was the fact that the change had only been made on RubyGems, a popular repository for Ruby libraries, but not on GitHub, where the library's source code was being managed.

Library exposed Ruby apps to remote code execution

During an examination of the v3.2.03 code released on RubyGems, Barnes spotted what he described "interesting looking code."

This code, when embedded inside a Ruby or Ruby on Rails (popular Ruby framework), would load a cookie file and execute its content, according to a member of cyber-security firm Bad Packets, who confirmed the malicious nature of the library update for ZDNet.

The backdoor was removed from RubyGems on the same day it was reported. The Bootstrap-Sass team also revoked access to RubyGems for the developer whose account they believed was compromised and used to push the malicious code.

Bootstrap-Sass v3.2.0.4 was also released yesterday, on both RubyGems and GitHub, to remove any backdoor leftovers. The update should also trigger a notification for developers to update their code to this new version, and also remove any backdoors from existing projects.

Few projects impacted

However, the number of impacted projects is believed to be low, as the latest version of the library was Bootstrap-Sass v3.4.1, and very few developers were using the older branch.

"A quick analysis shows roughly 1,670 GitHub repositories that may have been exposed to the malicious library through direct use," said cyber-security firm Snyk, which also analyzed the backdoor. "This number will increase significantly when counting its usage in applications as a transitive dependency."

The Bootstrap-Sass library had been downloaded nearly 28 million times from the RubyGems portal, according to official RubyGems stats; however, these are historical stats and don't all reflect downloads for the backdoored version. Downloads for the backdoored v3.2.0.3 stand only at 1,477, at the time of writing.