Hacking With Gems

A session at Ruby Lugdunum 2013

Thursday 20th June, 2013

10:30am to 11:00am (PMT)

What's the worst that could happen if your app has a dependency on a malicious gem? How easy would it be to write a gem that could compromise a box?
Much of the Ruby community blindly trusts our gems. This talk will make you second guess that trust. It will also show you how to vet gems that you do choose to use.

There are four malicious gems I will be presenting:
*Harvesting passwords from requests going through a Rails app
*Exposing the contents of a Rails app's database
*Compromising the source code of a Rails app
*Providing SSH access to a box a 'gem install' time and stealing gem cutter credentials (and going viral)

My talk will increase awareness that these sort of gems can exist in the wild, show how easy it is for anyone to build malicious gems, and give easy techniques for identifying these gems.

About the speaker

This person is speaking at this event.
Benjamin Smith

Benjamin is a developer at Pivotal Labs. He has a strong passion for TDD, pairing, Agile and using technologies that get out of the programmer’s way (or the programmer out of the way). When not writing code, he follows his other passions into the outdoors to rock climb, back country snowboard, kayak and surf.

Coverage of this session

Sign in to add slides, notes or videos to this session

Ruby Lugdunum 2013

France France, Lyon

20th21st June 2013

Tell your friends!


Time 10:30am11:00am PMT

Date Thu 20th June 2013

Short URL


Official session page


View the schedule


See something wrong?

Report an issue with this session