Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Thursday August 22 2019, @04:55AM   Printer-friendly
from the credential-stuffing dept.

Submitted via IRC for SoyCow3196

No REST for the wicked: Ruby gem hacked to siphon passwords, secrets from web devs

An old version of a Ruby software package called rest-client that was modified and released about a week ago has been removed from the Ruby Gems repository – because it was found to be deliberately leaking victims' credentials to a remote server.

Jussi Koljonen, a developer with Visma in Helsinki, Finland, discovered the hacked code in rest-client v1.6.13, and opened an issue to discuss the matter on the GitHub repo for the software. The gem, originally intended to help Ruby developers send REST requests to their web apps, was altered to fetch malicious code from pastebin.com that steals usernames, passwords, and other secrets from the client's host machine.

According to Jan Dintel, a developer with Digidentity in The Hague, Netherlands, when the infected client is used to send a REST request to a non-localhost website, the malware siphons off the URL of that site along with environment variables that may include authentication tokens, API keys, and other secrets you really don't want in the wrong hands. These details can be reused by the malicious code's mastermind to hijack the victims' accounts.

It also allowed arbitrary Ruby code to run on the infected host, and overloaded the #authenticate method in the Identity class to obtain and leak the user's email address and password every time the function is called to log into a service.

The creator of the cracked gem, Matthew Manning, a software developer based in Atlanta, Georgia, promptly apologized, saying that his rubygems.org account had been compromised.

"I take responsibility for what happened here," he explained in a post on Hacker News. "My rubygems.org account was using an insecure, reused password that has leaked to the internet in other breaches. I made that account probably over 10 years ago, so it predated my use of password managers and I haven't used it much lately, so I didn't catch it in a 1Password audit or anything. Sometimes we miss things despite our best efforts. Rotate your passwords, kids."

[...] Since developer-focused attacks have become more common, software repositories like rubygems.org, npm, and PyPI have encouraged developers to use multifactor authentication to help defend their accounts.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Insightful) by Anonymous Coward on Thursday August 22 2019, @06:21AM

    by Anonymous Coward on Thursday August 22 2019, @06:21AM (#883487)

    I (begrudgingly) accept not foisting them on users, but devs in security critical situations? They can manage it, then it doesn't matter how idiotic the company is, it just /can't/ leak your private key.

    Starting Score:    0  points
    Moderation   +2  
       Insightful=1, Interesting=1, Total=2
    Extra 'Insightful' Modifier   0  

    Total Score:   2