Backdoor to test for strong passwords found in the Ruby library

fingerprint

A diligent developer security practice uncovered a dangerous backdoor for the password strength check of user-selected passwords in a popular Ruby library.

The malicious code would test whether the library was used in an environment of testing or production. When produced, a second payload from Pastebin.com, a text hosting portal, would be downloaded and run.

This second payload would create the real backdoor on the library-named strong pressword, the applications and websites.

The backdoor would send the URL for each infected site to the “smiley.zzz.com.ua” and then wait for instructions. Similarly, the site would receive the URL of the backdoor.

The commands were cookie files, which would be unpacked and executed by the backdoor mechanism.

Fundamentally, this mechanism would have enabled the hacker to execute any code in a backdoor library app.

Developer Tute Costa discovered the backdoor mechanism in the course of regular security audits before updating the dependencies in the production applications.

As Costa reached the real owner of the library, he found that the hacker succeeded in replacing the true library developer on RubyGems, the principal package repository in the Ruby language.

Here, the hacker created a new version of the strong password library, versión 0.0.7, containing its backdoor code, for the strong password library. This malicious version was downloaded by 537 users according to RubyGem statistics.

The bad code has never been uploaded to the GitHub account of the library. Only RubyGems distributed it.

Both Costa and the RubyGems Security Team informed the library owner of the finding. Within a week of being uploaded the malicious version was removed from the RubyGems repo.

As the library usually works on applications and websites managing user accounts, any project using the library should conduct a thorough safety check to detect potential violations and theft of user data.

The incident looks strikingly like that of April of this year, when a hacker has backdoored Bootstrap-Sass Ruby’s library with an almost identical mechanism for cookie acceptance and evaluation.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.