Backdoor code was found added in a popular Ruby library used for frontend user interfaces inside Ruby and Ruby on Rails applications. The malicious code was removed via a library update.
The backdoor's existence came to light on March 27, last week, when software developer Derek Barnes spotted that someone had removed a version of the library (Bootstrap-Sass v188.8.131.52) and immediately released a new version, moments later, v184.108.40.206.
What drew Barnes attention to this version was the fact that the change had only been made on RubyGems, a popular repository for Ruby libraries, but not on GitHub, where the library's source code was being managed.
Library exposed Ruby apps to remote code execution
During an examination of the v3.2.03 code released on RubyGems, Barnes spotted what he described "interesting looking code."
This code, when embedded inside a Ruby or Ruby on Rails (popular Ruby framework), would load a cookie file and execute its content, according to a member of cyber-security firm Bad Packets, who confirmed the malicious nature of the library update for ZDNet.
The backdoor was removed from RubyGems on the same day it was reported. The Bootstrap-Sass team also revoked access to RubyGems for the developer whose account they believed was compromised and used to push the malicious code.
Bootstrap-Sass v220.127.116.11 was also released yesterday, on both RubyGems and GitHub, to remove any backdoor leftovers. The update should also trigger a notification for developers to update their code to this new version, and also remove any backdoors from existing projects.
Few projects impacted
However, the number of impacted projects is believed to be low, as the latest version of the library was Bootstrap-Sass v3.4.1, and very few developers were using the older branch.
"A quick analysis shows roughly 1,670 GitHub repositories that may have been exposed to the malicious library through direct use," said cyber-security firm Snyk, which also analyzed the backdoor. "This number will increase significantly when counting its usage in applications as a transitive dependency."
The Bootstrap-Sass library had been downloaded nearly 28 million times from the RubyGems portal, according to official RubyGems stats; however, these are historical stats and don't all reflect downloads for the backdoored version. Downloads for the backdoored v18.104.22.168 stand only at 1,477, at the time of writing.
More vulnerability reports:
- Researcher prints 'PWNED!' on hundreds of GPS watches' maps due to unfixed API
- Cisco bungled RV320/RV325 patches, routers still exposed to hacks
- Vulnerability found in Xiaomi phones' pre-installed security app
- WordPress iOS app leaked authentication tokens
- Apache web server bug grants root access on shared hosting environments
- Researcher publishes Google Chrome exploit on GitHub
- DJI fixes vulnerability that let potential hackers spy on drones CNET
- Top 10 app vulnerabilities: Unpatched plugins and extensions dominate TechRepublic