Title: paratrooper-pingdom-1.0.0 ruby gem exposes API login credentials Author: Larry W. Cashdollar, @_larry0 Date: 12/26/2013 CVE: Please assign. Download: http://rubygems.org/gems/paratrooper-pingdom Description: "Send deploy notifications to Pingdom service when deploying with Paratrooper" Vulnerable Code: From: paratrooper-pingdom-1.0.0/lib/paratrooper-pingdom.rb 24 def setup(options = {}) 25 %x[curl https://api.pingdom.com/api/2.0/checks -X PUT -d "paused=tru e" -H "App-Key: {app_key}" -u " {username}:#{password}"] 26 end 27 28 def teardown(options = {}) 29 %x[curl https://api.pingdom.com/api/2.0/checks -X PUT -d "paused=fal se" -H "App-Key: {app_key}" -u " {username}:#{password}"] 30 end A malicious user could monitor the process tree to steal the API key, username and password for the API login. http://www.vapid.dhs.org/advisories/paratrooper-api-key-pingdom.html # Iranian Exploit DataBase = http://IeDb.Ir [2014-01-11]