Backdoor discovered in Ruby strong_password library

Posted on Sep 8, 2019

Backdoor discovered in Ruby strong_password library

An eagle-eyed developer has discovered a backdoor recently sneaked into a library (or ‘gem’) used by Ruby on Rails (RoR) web apps to check password strength. A close shave, then. While the Ruby scripting language and RoR aren’t as popular as they once were, they’re still embedded in numerous enterprise development environments, an unknown number of which might have used the library, strong_password, in its infected version 0.0.7.

The discovery came about after Epion Health developer, Tute Costa, noticed something unusual when carefully updating a family of libraries used by his company’s dev to fix bugs and security vulnerabilities. When he looked at the strong_password gem on, he couldn’t locate a changelog explaining how it got to the updated version from 0.0.6, an event which happened on 25 June 2019. The previous GitHub version had been updated in October 2018.

Comparing the two versions, he noticed the mystery 0.0.7 version embedded a download link which: Fetches and runs the code stored in a, only if running in production, with an empty exception handling that ignores any error it may raise. The backdoor would download code from the Pastebin address for production sites, giving the attackers the power of remote code execution, silently hijacking any websites unfortunate to have updated to the rogue strong_password gem.