A diligent developer's security practices have uncovered a dangerous backdoor in a popular Ruby library for checking the password strength of user-chosen passwords.

The malicious code would check if the library was being used in a test or production environment. When in production, it would download and run a second payload downloaded from Pastebin.com, a text hosting portal.

This second payload would create the actual backdoor in the apps and websites that used the library -- named strong_password.

Remote commands received via cookie files

The backdoor would send each infected site's URL to "smiley.zzz.com.ua," and then wait for instructions.

The instructions were cookie files, which the backdoor mechanism would unpack and run through an "eval" (execute) function.

Basically, this mechanism would have allowed the hacker to run any code he wanted inside an app featuring the backdoored library.

The backdoor's mechanism was discovered by developer Tute Costa during regular security audits he performs before updating the dependencies used inside his production app.

When Costa reached out to the library's real owner, he discovered that the hacker managed to replace the real developer as the library owner on RubyGems, the Ruby language's main package repository.

Backdoored library downloaded 547 times

Here, the hacker created a new release for the strong_password library, namely version 0.0.7, containing the backdoored code. According to RubyGem stats, 537 users downloaded this malicious version.

The malicious code was never uploaded on the library's GitHub account. It was only distributed through RubyGems.

Costa notified both the library's owner and the RubyGems security team about his finding. The malicious version was removed from the RubyGems repo within a week of being uploaded.

Because the strong_password library is usually used on apps and website that manage user accounts, any project that uses this library should perform a thorough security audit to detect any potential breach and theft of user data.

The incident is eerily similar to one from April this year when a hacker backdoored the Bootstrap-Sass Ruby library with a nearly identical cookie-accepting and eval-running backdoor mechanism.

Related cybersecurity coverage: