Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What I saw was Ben twerping to Ruby people asking who to contact about this first, then posting to HN when he couldn't find the right person. Can I ask, where's the security page on Rubygems.org that tells people who to alert when stuff like this happens? I'm trying to find it on Archive.org and drawing a blank.


I looked for contact page first then panicked. I should have used whois :(


If the whole world is pulling backdoored gems off a compromised Rubygems.org, panic seems like a reasonable first reaction. This isn't the Rails bug; there was nothing to be gained here from secrecy.


I became aware of this problem this morning when it was discussed on a public github issue. I think the problem has been known for a couple of weeks. I checked latest rack and active_support gem (would seem to be good targets...) to see if they had been backdoored but they were clean. Not sure if these gems are still clean or if any others have been compromised.


to see if they had been backdoored but they were clean

You can never be too sure. There's a whole contest (http://underhanded.xcott.com/) whose goal is "make something that looks legit, but actually does something evil / has an exploit).

Nuke from orbit.


i diffed the rack gem and active_resource gem from the versions built from git. i'm fairly sure the versions i downloaded were not compromised.


Now would be a good time to build up a quick script to compare the last modification time of the files on S3 against the updated_at of any gem record in the system. If the delta is too long, that would be a candidate for deeper investigation.


Hopefully they use S3 bucket versioning. Rolling back would be pretty easy then.


I'd be interested in seeing this github issue. Link please?



Ah, so were were supposed to look at the .yml files included in your exploit gem? Which contained some injected code that would then run on the rubygems server?


not my exploit gem. the code was in the metadata part and I believe someone else has posted it in this thread.


consider me a fan of your work!


If someone compromised a package repository and replaced OpenSSH with a backdoored version, I would want to know immediately, and relay that message as quickly as possible to as many other users as possible before it spreads.

It is better to be paranoid about it and get the word out before someone actually gets hurt. If the users get to it before the maintainer gets to it, at least someone got the word out.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: