A diligent developer's security practices have uncovered a dangerous backdoor in a popular Ruby library for checking the password strength of user-chosen passwords.
The malicious code would check if the library was being used in a test or production environment. When in production, it would download and run a second payload downloaded from Pastebin.com, a text hosting portal.
This second payload would create the actual backdoor in the apps and websites that used the library -- named
strong_password.
The backdoor would send each infected site's URL to "
smiley.zzz.com.ua," and then wait for instructions.
The instructions were cookie files, which the backdoor mechanism would unpack and run through an "eval" (execute) function.
Basically, this mechanism would have allowed the hacker to run any code he wanted inside an app featuring the backdoored library.
The backdoor's mechanism was discovered by developer Tute Costa
during regular security audits he performs before updating the dependencies used inside his production app.
When Costa reached out to the library's real owner, he discovered that the hacker managed to replace the real developer as the library owner on RubyGems, the Ruby language's main package repository.
