Reality update: Warning! is rest-client 1.6.13 hijacked? · Issue #713 · rest-client/rest-client · GitHub … :
Wow. I guess I’d call that a #rubytuesday
“JanDintel commented Aug 20, 2019:
In case people need to write a detailed security report at their company. This might help you.
Security threat consisted out of the following:
* It sent the URL of the infected host to the attacker.
* It sent the environment variables of the infected host to the attacker. Depending on your set-up this can include credentials of services that you use e.g. database, payment service provider.
* It allowed to eval Ruby code on the infected host. Attacker needed to send a signed (using the attacker’s own key) cookie with the Ruby code to run.
* It overloaded the #authenticate method on the Identity class. Every time the method gets called it will send the email/password to the attacker. However I’m unsure which libraries use the Identity class though, maybe someone else knows?”
(Thanks to Fefe, once again!)