Hackers have breached the main Git repository of the PHP programming language, adding a backdoor to the source code that could allow an attacker access to millions of servers worldwide.
However, as bad as that sounds, the hackers also left a giant red flag for the PHP development team, presumably as a warning regarding the vulnerability rather than as a direct exploit.
Hackers Insert Backdoor Into PHP Source Code
The PHP development team released an official statement confirming the source code breach on Sunday, March 28.
The statement confirms that the PHP source code was indeed breached, with the malicious code being pushed to the PHP Git server from the accounts of lead developers Rasmus Lerdorf and Nikita Popov.
The backdoor, which hasn’t made its way into production (meaning it hasn’t been pushed live to any servers), would have allowed an attacker to execute code on any vulnerable PHP server. It would grant significant access to a threat actor and present significant danger to the millions of websites that use the programming language.
However, while the breach and exposure of the vulnerability are bad, it is apparent that the hacker or hackers didn’t ever intend for the exploit to go live. To trigger the malicious code, an attack would have to send a request to a specific string named zerodium.
Zerodium is the name of a well-known exploit broker service, where hackers can sell exploits to the highest bidder. The inclusion of the name lends credence to the idea that the hackers were calling attention to the PHP development team rather than actively exploiting the vulnerability.
PHP Development Take Extra Security Steps
As a result of the breach, the PHP development team will change how it manages access to its Git server, making its GitHub repositories the de facto code base for the project, rather than just a mirror as it is currently.
While [the] investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical. This means that changes should be pushed directly to GitHub rather than to git.php.net.
After the switch, those requiring access to the PHP repositories will have to contact the development team directly to make a request.
Although the development team believes the breach was a compromise of the Git server itself, rather than an individual account, the PHP development is rightfully taking additional steps to ensure there are no further breaches.
According to W3Techs, around 80 percent of all sites on the internet use some form of PHP, so the additional security steps are completely understandable.