Researcher Warns That Developers Need to Enable Encryption in Wake of PHP Git Server Attack

Two malicious commits were made to the PHP web development programming language’s official Git server earlier this week, and all of this could have been prevented assuming the mainteners had enabled signed commits on the server. Signed commits provide encryption, making it a lot more difficult to manipulate or get inside of.

Git commit screenshot

A commit in the Git sphere is when a source code repository gets refreshed. Malicious commits can occur when code gets placed into the refresh, that was not intended to be there by the original developers. When a programmer cryptographically signs a commit, this is what is known as a signed commit.

According to Asaf Karas, the co-founder and the CTO of Vdoo, there’s no silver bullet in terms of security. Researchers do not quite know how the attackers compromised the PHP server precisely. The malicious commits used by the PHP server attackers were not signed commits.

Karas had the following to say: “It’s possible to spoof a signed commit, but the attacker would have to either have a vulnerability or a private key from one of the maintainers, we’re just telling anybody who maintains a Git server to enable the signed commit function on the server, it can prevent a lot of security issues.”

This news of the attack raised eyebrows across security researchers due to the fact that if the malicious commits had not been identified, they would have gone through a lot of testing cycles before being tagged as part of an official release. Keep in mind that 80% or more of all websites currently online use PHP, as it is the backbone of WordPress.

The malicious commits were discovered after a routine post-commit review, and what tipped the developers off was that the malicious commits actually contained a description that was completely inconsistent with the associated code. In other words, the hackers managed to label one of the two commits as a “typo fix”, while it was introducing new code. The malicious code was blatant, but it’s worth noting that an attacker with a more sophisticated backdoor mechanism that is built across multiple seemingly innocuous code commits could have gone through without detection.

Karas carried on to say the following: “It was a close call as the malicious code was detected very early and was only introduced into a development version that isn’t widely used in production. Moreover, the attackers were not sophisticated in how they changed the code. The changes were noticeable and still contained indicative incriminating strings such as those mentioning the vulnerability broker company Zerodium. One could even hypothesize that this was a provocation attack meant to be detected. In the next attack, the attackers might be much more careful in crafting a code change that could stay hidden long enough for it to reach release versions ultimately installed in production on many real systems.”

Manchester Cloud Hosting and Data Center Operator Teledata Launches New Premium Web Hosting Service  

For companies searching for a helpful approach to hosting their websites, Teledata, a Manchester-based cloud hosting and data center operator, has developed a premium web hosting solution.
1 min read
Sara Mirchevska
Sara Mirchevska
Hosting Expert

Cloud Computing Is To Reach A New All-Time High in 2022

In 2022, investment in traditional IT equipment for data centers will finally be surpassed by spending on shared cloud IT infrastructure. With corporate customers spending $18.3 billion on cloud computing and storage infrastructure in the first quarter of 2022, up 17.2%  year over year, spending on cloud services is likely to reach another critical tipping […]
2 min read
Sara Mirchevska
Sara Mirchevska
Hosting Expert

SiteGround’s New Data Center & CDN Location in Spain Deliver Faster Data Access and Reduced Networking Costs

SiteGround added a new data center facility in Madrid, Spain, to its global network on June 17, 2022. With less than a month of operation, the provider has confirmed the many benefits of a well-dispersed network and the importance of geography in web hosting.
3 min read
Sara Mirchevska
Sara Mirchevska
Hosting Expert

The Search Volume For Free Web Hosting Reaches Its All-Time High In 2022

As individuals adjust to the severe economic downturn and the cost-of-living issue, the combined search for free website builders and free web hosting has reached its highest level in over two years.
1 min read
Sara Mirchevska
Sara Mirchevska
Hosting Expert
HostAdvice.com provides professional web hosting reviews fully independent of any other entity. Our reviews are unbiased, honest, and apply the same evaluation standards to all those reviewed. While monetary compensation is received from a few of the companies listed on this site, compensation of services and products have no influence on the direction or conclusions of our reviews. Nor does the compensation influence our rankings for certain host companies. This compensation covers account purchasing costs, testing costs and royalties paid to reviewers.
Click to go to the top of the page
Go To Top