| It looks pretty bad if you had deployed this :( Here is a summary of the exploit re-pasted from a great comment [1] written by @JanDintel on the github thread: - It sent the URL of the infected host to the attacker. - It sent the environment variables of the infected host to the attacker. Depending on your set-up this can include credentials of services that you use e.g. database, payment service provider. - It allowed to eval Ruby code on the infected host. Attacker needed to send a signed (using the attacker’s own key) cookie with the Ruby code to run. - It overloaded the #authenticate method on the Identity class. Every time the method gets called it will send the email/password to the attacker. However I'm unsure which libraries use the Identity class though, maybe someone else knows? So... it potentially comprised your user's passwords AND (if you were on Heroku or similar like many Rails apps are) system-level access to all your attached data stores. About as bad as it gets. [1] https://github.com/rest-client/rest-client/issues/713#issuec... |
The first hijacked version was released on August 13th.