In association with heise online

31 January 2013, 10:46

Rubygems site recovers from compromise

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Rubygems icon The volunteers that run the repository of components for Ruby applications are checking those components to ensure they haven't been tampered with after the platform was compromised. Attackers uploaded a gem to the site which had a metadata file that used the Rails YAML flaws to copy initialisation and configuration information to the Pastie clippings site.

The attack was a variation of the various flaws and issues found in Rails earlier this month, with the difference being that the vector used to get to the unsafe Psych YAML parser was via the Rubygems metadata processing rather than through HTTP requests. It is believed the attackers were looking for API keys, which were not in those files. Upon discovery of the compromise, after it was reported on Hacker News, the entire site was placed into "maintenance mode", the "exploit gem" and account used to upload it were deleted, and's Amazon S3 keys were reset.

The developers then set about checking all gems stored on against mirrors held on Amazon S3 or more recent mirrors from sites like Heroku. At time of writing, the status page for reports that the core API, dependency API and load balancers are now back online and that 90% of the gems have been checked and have matched two or more mirrors; is still in read-only mode though. The status page was so overloaded that the developers also created a Google Doc with status information in it. The Twitter account @rubygems_status is also providing updates.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit