Skip to content
Naked Security Naked Security

Backdoor discovered in Ruby strong_password library

An eagle-eyed developer has discovered a backdoor recently sneaked into a library (or ‘gem’) used by Ruby on Rails (RoR) web apps to check password strength.

An eagle-eyed developer has discovered a backdoor recently sneaked into a library (or ‘gem’) used by Ruby on Rails (RoR) web apps to check password strength.

A close shave, then. While the Ruby scripting language and RoR aren’t as popular as they once were, they’re still embedded in numerous enterprise development environments, an unknown number of which might have used the library, strong_password, in its infected version 0.0.7.

The discovery came about after Epion Health developer, Tute Costa, noticed something unusual when carefully updating a family of libraries used by his company’s dev to fix bugs and security vulnerabilities.

When he looked at the strong_password gem on, he couldn’t locate a changelog explaining how it got to the updated version from 0.0.6, an event which happened on 25 June 2019.

The previous GitHub version had been updated in October 2018. Comparing the two versions, he noticed the mystery 0.0.7 version embedded a download link which:

Fetches and runs the code stored in a, only if running in production, with an empty exception handling that ignores any error it may raise.

The backdoor would download code from the Pastebin address for production sites, giving the attackers the power of remote code execution, silently hijacking any websites unfortunate to have updated to the rogue strong_password gem.

Adding to this, the versions had been published by an empty account under a different name (probably the victim of a Pastebin account hijacking) to the official maintainer, Brian McManus, who replied to an email from Costa to say:

The gem seems to have been pulled out from under me… When I login to I don’t seem to have ownership now.

The latest issue is identified as CVE-2019-13354. The infected library has now been pulled and replaced with 0.0.8.

Part of a pattern

This wasn’t a speculative attack – somebody thought about what they were doing and set out to insert the backdoor in a way that might not be noticed straight away.

It also fits a troubling pattern of recent targeting of Ruby libraries, including the RCE discovered inside the Bootstrap-Sass Ruby library in April.

That hijacking was noticed even quicker than strong_password’s, but the sheer number of libraries used by RoR (and other development frameworks in the firing line) raises the issue of how much oversight is appropriate when new versions appear.

Luckily, on this occasion, a developer was paying attention. When it comes to security, sometimes someone noticing that something is awry is all that stands between a large community of developers and disaster.


Oh! Now look what you’ve gone and done. You’ve just given operators an excuse to not install new updates until others have had a chance to vet them for a few weeks. So much for quick updates to counter zero-day exploits.


How so? The moral of this incident surely is the need to look for and study changelogs before applying any update. That’s not the same as saying updates shouldn’t be applied.


> many of which might have used the default library, strong_password, in its infected version 0.0.7.

This gem is not a default library for Ruby on Rails or Ruby, this can be trivially checked here:

Please check your facts before writing a blog post and don’t use manipulative wording to misrepresent them. Ironic when you write a blog post about oversights, how you have a pretty big of an oversight by yourself just to have a bit more of a sensationalist text.


The word ”default’ was an error – we’ve removed that because, as you rightly say, that’s not the case.

However, the broader theme of attackers manipulating libraries is important, even if the number of organisations who downloaded this particular rogue update was small.


“all that stands between a large community of developers and disaster” – would not that disaster also have affected the end users?


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!