Written by Jeff Stone

Hackers have designed a back door into an open source framework that has been downloaded roughly 28 million times by building a malicious version that masquerades as the real thing.

A compromised version of the website development tool bootstrap-sass was published to the official RubyGems repository, a hub where programmers can share their application code. The open source security firm Snyk alerted developers to the issue Wednesday, advising users to update their systems away from the infected framework (version 3.2.0.3).

“That doesn’t mean there are something like 27 million apps out there using this,” said Chris Wysopal, chief technology officer at app security company Veracode. “[But] when you’re using open source packages to build your applications, you’re inheriting many of the vulnerabilities. … But bootstrap-sass is a popular component used by enterprises and startups so there’s potentially thousands of applications affected by this.”

While the vulnerability is serious — hackers can exploit it for remote code execution — the issue also highlights how pervasive such flaws can become if they’re not fixed quickly, according to application security experts. The 2017 data breach at Equifax was possible because the company did not act to resolve a flaw in the open source Apache Struts framework.

“If you’re a person using bootstrap-sass you’re on your way to becoming the next Equifax if you don’t patch,” said Matt Konda, CEO of the app security company Jemurai and a former board member at the Open Web Application Security Project. “It’s a success story of somebody finding this today, rather than in two years we find out we have another Equifax, but even as this is becoming a first class thing, people don’t always patch.”

Eighty-one percent of the chief information officers and chief information security officers polled in a Tanium survey published this week said they have delayed essential updates at least once, while 52 percent said they did more than once.

In this case, hackers appeared to build a malicious copy of bootstrap-sass by compromising the machine or phishing the credentials of a developer, Wysopal said. Upon accessing the account, the hacker appears to have simply uploaded a hacked version of an already-popular library. An initial Snyk estimate suggests “roughly 1,670 GitHub repositories that may have been exposed to the malicious library through direct use.”

Such an attack is alarming, even with the quick release of a security patch, Wysopal said. Much like a zero-day, a backdoor in an open source framework would be known only to an attacker. Even when it’s detected, that hacker still has time on their side.

“Everyone who plants backdoors expects them to be found within days,” said Wysopal. “But it’s still powerful because the developer has to detect that, create new code and then push out the update. It’s one of those things where it doesn’t really matter if it was quick. Prevention is what we need.”

Researchers raised similar concerns last year when hackers inserted a backdoor into another open source library capable of stealing funds from bitcoin wallets. Before that, security pros detected another vulnerability in the Apache Struts framework.