The story of this new hack begins with a topic that’s just about as old as technology time, password hygiene. In the case of ‘rest-client’, the project maintainer was still using a password that had been leaked in an earlier breach. Not having logged on to the project in years, changing his gem password wasn’t exactly top of mind. It’s an oversight that could happen to any of us. We’re human after all. The sequence of events that happened after the maintainer’s password was hijacked, make that oversight unpleasant for many developers.
From Github, regarding CVE-2019-15224:
- On August 14, attackers published a series of rest-client versions from 1.6.10 to 1.6.13 using the credentials of a rest-client maintainer whose RubyGems.org account was compromised. The affected versions were downloaded a small number of times (~1000).
- On August 19, @juskoljo observed the malicious gem version and created this issue. Later that day, the RubyGems security team yanked the offending gem version and locked the affected maintainer’s account. Several (Read more…)
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Brian Fox. Read the original post at: https://blog.sonatype.com/anatomy-of-the-rubygems-rest-client-hack-and-getting-creative-about-open-source-security