RubyGems.org hacked, interrupting Heroku services and putting sites using Rails at risk

Ruby package distributor RubyGems.org was hacked today, disrupting web developers globally and causing service shutdowns at popular hosting service Heroku.

“There was a vulnerability with RubyGems.org, which allowed someone to execute code on the server,” a Ruby programmer I talked to said. “RubyGems is a big target, because if you could break in and change a Rails gem, you could gain access to a lot of servers.”

Popular sites such as Twitter, Groupon, Airbnb, and Hulu are built using Ruby on Rails, a framework built in the Ruby programming language. Ruby gems are packages of code that allow developers to distribute programs or libraries, and RubyGems.org is the central means the Ruby community has to publish and distribute those gems. Essentially, if a black hat hacker can corrupt those gems, he or she could potentially gain control of thousands, if not millions of sites around the world that run Ruby on Rails.

Above: The exploit itself

Image Credit: https://gist.github.com/3e4829f79dbd1be11295

“RubyGems is a critical part of the Ruby infrastructure,” the programmer said. “Everything depends on RubyGems.”

RubyGems explained the situation this way in a Google doc that site administrators set up for status updates:

A user uploaded a malicious gem that contained a malicious gem manifest (YAML file). The manifest contained embedded Ruby with this payload. This is the only known incident involving this vulnerability, but the vulnerability involved is a remote code execution exploit, so the usual rules apply.

The Ruby programmer I talked to, who did not want to be identified since he works with some of the key engineers at RubyGems and Heroku, said that the infected gem was executed by the server and then “emailed the database configuration details, including passwords, to a paste-it note on Pastie.org.”

As soon as Heroku became aware of the issue this morning, site administrators disabled access to site update and publishing services:

Ruby deploys have been temporarily disabled to protect our users from malicious gems. We will have more information available shortly, including a workaround for those who wish to deploy anyway.

Based on the information currently available, it doesn’t appear to have been an especially malicious attack, but rather a fairly strenuous way of informing the RubyGems organization that they had a vulnerability. The infected gem was called “exploit,” a pretty clear signal that the author or authors were not trying to slip something in unnoticed, and “they could have done more,” my source said.

Currently, RubyGems is verifying all files by comparing them for differences with older version before re-enabling all access to  functionality. The last update as of 7:30 PM PST is that the service’s classic API is up, as well as its V1 API, but its web application and Dependency API are still down.

photo credit: Andrew* via photopin cc