Up to 28 million users potentially affected by backdoor vulnerability in popular web development tool

Warning over compromised 'bootstrap-sass' development package published on the RubyGems repository

A backdoor vulnerability in a popular open-source framework claiming 28 million users has been uncovered - although the malicious version was downloaded just 1,470 times.

According to security firm Synk, the malicious version of web development tool bootstrap-sass was published on the official RubyGems repository.

Researchers found a backdoor that enables hackers to conduct remote command execution on server-side Rails applications.

Writing in a security notice, Synk explained that the vulnerability was "widely hidden" in version 3.2.0.3 of the tool and enabled "remote attackers to dynamically execute code on servers hosting the vulnerable versions".

Researchers have found a backdoor that enables hackers to conduct remote command execution on server-side Rails applications

The warning continued: "The bootstrap-sass package is very popular and the malicious backdoor potentially affects a large set of users. The package's GitHub repository has been starred more than 12,000 times, and features over 27 million downloads in total. The current version, 3.4.1, has over 217,000 downloads.

"A quick analysis shows roughly 1,670 GitHub repositories that may have been exposed to the malicious library through direct use. This number will increase significantly when counting its usage in applications as a transitive dependency."

This backdoor was hidden in a file called lib/active-controller/middleware.rb, which Synk said "taps into another Ruby module and modifies it so that specific cookies that are sent by the client will be Base64 decoded and then evaluated in runtime, to effectively allow remote code execution".

Although the identity of the attacker is unknown, Synk believes that they "obtained the credentials to publish the malicious RubyGems package from one of the two maintainers".

If you find that your Rails application is making use of the vulnerable project take immediate action

The malicious version has since been removed from RubyGems, with the maintainers confirming that they've changed their credentials.

"We have already added the vulnerability to our database, and if your project is being monitored by Snyk, you will have already been notified by our routine alerts, if your application contains the malicious package.

"If not, you should test, for free, to see if your application is affected by the malicious version by testing your application code repository with Snyk.

"If you find that your Rails application is making use of the vulnerable project take immediate action and replace the vulnerable version, 3.2.0.3, with the re-published 3.2.0.4 as first response mitigation without requiring major version upgrades."

Correction, 9 April 2019: The original version of this story implied that the malicious Bootstrap-Sass framework had been downloaded 28 million times. This was incorrect. The total number of downloads for the tool is 28 million, but the malicious version was downloaded just 1,470 times. We apologise for the error.

The AI and Machine Learning Awards are coming! In July this year, Computing will be recognising the best work in AI and machine learning across the UK. Do you have research or a project that you think deserves wider recognition? Enter the awards today - entry is free.