Why 80% of Websites Were in Danger This Week
The hack could have been devastating, but it was handled near-perfectly.
Every so often, you hear about one of these huge, internet-breaking hacks that reveals just how fragile our networking infrastructure is.
This week it almost happened again.
Close to 80% of websites use the programming language PHP in some form. Like many languages, it’s open source, meaning the code behind the language is publicly available — and editable.
Of course, there are protections in place to make sure not just anyone can go in and change the source code for the language. But this week, those protections failed.
Hackers were able to change the code behind PHP to allow anyone with a certain password (“zerodium”) to run whatever code they wanted on a website running PHP. So basically, they could have hacked the vast majority of the internet if this attempt had been successful.
Luckily, developers noticed the change within a few hours and fixed it. The hackers then tried a second time, but of course now people were on the lookout and noticed right away. That’s when the developers decided it was time to implement a more permanent fix.
See, like many programming projects — especially open-source ones — PHP relies on a technology called Git for version control. With Git, authorized users can make changes to code, but the previous versions are all saved. You can see exactly what’s been changed and where, and even choose to keep or reject changes.
GitHub is probably the most well-known host for projects that use Git, and there is a PHP repository on GitHub. But until now, that repository was just a copy of the main one, which was hosted on a server specific to PHP.
According to the developers, there must be some sort of vulnerability in that private Git server which allowed the hackers to change the PHP code. So they did the simple — and probably smart — thing: They took down the private server and decided to just host the repository on GitHub from now on.
In the early days of Git it might have made sense for PHP to have their own technology hosting the project. But GitHub’s whole purpose is to host projects like this securely, and they have way more resources dedicated to keeping hackers out. Switching just made sense.
So, it was a scary week for PHP. But thanks to quick and decisive action by the developers, the internet is now that much more secure.