[Rubygems-developers] Trojan a RubyGems Package in 3 Easy Steps (was "Re: Need to release 0.9.1 due to security exploit")

Tom Copeland tom at infoether.com
Wed Jan 17 05:59:35 EST 2007

On Tue, 2007-01-16 at 23:05 -0500, Paul Duncan wrote:
>  if I
> wanted to install a trojan on thousands of peoples' machines, all I'd
> need to do would be to build a malicious gem (see below), called
> "rails-2.0" and upload it to my gem directory, then sit and wait.

Hm, but that gem wouldn't be deployed on the RubyForge gem index unless
it was uploaded to the rails project on RubyForge... so only folks who
deliberately downloaded the gem from your project area would get



More information about the Rubygems-developers mailing list