Rubygems: Domain Squatting rubgems.org to MITM gem downloads
A colleague and I noticed that rubgems.org (notice missing the y) was available after we inadvertently typo'd it. I registered it about 3 months ago +/- and setup an Nginx proxy to rubygems.org with a proper SSL cert.
As I'm sure you're aware having a MITM on rubygems.org can lead to tampering with gems and ultimately RCE on the victims end. Since setting up the proxy I've had 100+ unique ips download full gem sets via bundler.
I'd love to see a fix made available where typosquatting was detected at the rubygems side as I suspect other typos are likely commonly made, and registering all the possible typo'd domains is usually untenable.
Happy to help with any follow on questions or implementing a fix! My initial thought was a levenshtein distance check of a given source against rubygems.org. Score < 4-6(?) raise a warning “did you typo that?” And score >= 7 no warning. Suppressible with a config flag.
I have filed the same issue with bundler since both projects are subject to this error.
gavingmiller
All 3 comments
@gavingmiller Can you open this in https://github.com/rubygems/rubygems.org ?
Thanks so much!
bronzdoc
on 20 Oct 2019
@bronzdoc I'm not sure how this would be a rubygems.org thing, given that it can't catch a MITM attack against itself? That would be on the client end (RubyGems, Bundler).
duckinator
on 26 Oct 2019
I went fast through this, thanks @duckinator
bronzdoc
on 27 Oct 2019
Related issues
mihaibuzgau
·
5Comments
bquorning
·
3Comments
jasnow
·
3Comments
adrianomitre
·
5Comments
sebroeder
·
3Comments
Most helpful comment
@bronzdoc I'm not sure how this would be a rubygems.org thing, given that it can't catch a MITM attack against itself? That would be on the client end (RubyGems, Bundler).