Over 28 million times the Bootstrap-Sass Ruby library was downloaded. Only 1,470 times in the backdoor version.
Backdoor code was found in a popular Ruby library for interfaces within Ruby in rail applications that were used for frontend user interfaces. The buggy code was removed via the library update.
Bootstrap Sass, a Ruby package that provides developers the most popular version of the Bootstrap UI for developers today, is a library affected by this incident. The backdoor existence became evident on 27 March last week when Derek Barnes found that someone removed a library version (Bootstrap-Sass version 220.127.116.11) and released a new version immediately, some moments later, version 18.104.22.168.
The fact was that Barnes only made the change on RubyGems, a popular Ruby library repository, but not on GitHub, in which the source code of the library was being managed.
RUBY APPS TO REMOTES CODE EXECUTION
When examining the v3.2.03 code published in RubyGems, Barnes detected what he described as “interesting looking code,” which would load and execute a cookie file if it were embedded in rubies or rubies on the rails (popular Ruby framework).
The backdoor from RubyGems was removed on the same day it was reported. The Bootstrap-Sass team also revoked RubyGems for developers who thought they had compromised their account and used the malicious code to push.
Bootstrap-Sass v22.214.171.124 was also released yesterday, to remove any backdoor leftovers from RubyGems and GitHub. The update should also send the developer a notice to update their code for the new version and remove backdoors from existing projects.
FEW PROJECTS IMPACTED
However, there are many projects affected, as Bootstrap-Sass v3.4.1 was the latest version of this library and very few developers used its old branch. “A rapid analysis shows that approximately 1670 GitHub repositories were directly exposed to the malicious library,” said the cybersecurity company Snyk who also looked at the backdoor.
“This is a significant increase in the number of applications used as a transitive dependency.” The Bootstrap Sass library was downloaded from RubyGems almost 28 million times according to official RubyGems stats; however, these are historical stats and do not all reflect backdoor downloads. Downloads for backdoor version 126.96.36.199 at the time of writing are only 1,477.