Secret Backdoor was found in PHP’s Git Server Source Code
PHP’s Git Server Compromised
In a recent supply chain hacker attack, the official PHP Git (hit.php.net) server was hacked and the attackers managed to run unauthorized updates and thus insert in its code a malicious backdoor.
The attack has apparently taken place on the 23d of March (yesterday) and it seems that the hackers have used the name of the creator of the PHP programming language, Rasmus Lerdorf, and the name of a JetBrains developer, Nikita Popov, while conducting the attack.
According to Nikita Popov, it is most likely that the main git.php.net server was compromised rather than an individual user account.
Measures taken to deal with the attack
At the moment of writing, the PHP maintainers are working on revoking the known changes made to the PHP server and are also checking the repositories for additional changes that may have not been discovered yet. Currently, there’s no clarity on whether any codebase had been downloaded from the server and distributed to third parties before the admins have become aware of the unauthorized changes.
One of the measures taken by the maintainers is migration to GitHub of the code repository which means that, from now on, changes to the code will go directly to GitHub and not to git.php.net. Another precaution will be that, in order to contribute to the PHP project, users (developers) will now have to be verified members of the GitHub organization.
The “dependency confusion” attack model
This hacker attack takes place nearly two months after a newly discovered chain attack model (named “dependency confusion”) was demonstrated by researchers with the aim to warn developers of the potential threat that it represents. The attack model can be used to secretly launch malicious code inside the internal software build, and it relies on the fact that a given piece of software may contain within its code elements from both public and private sources. The way the attack works is the hackers upload a newer version of a private component to the public repository, which results in an automatic update of the user’s software that downloads the malicious code without requiring the user’s permission.