The XZ backdoor could have been really bad

While you were enjoying the long weekend, engineers and developers were fixing what could have been one of the biggest cybersecurity incidents of all time.

What happened: Someone with the username JiaT75 spent over two years adding a backdoor — which lets hackers get around cybersecurity measures — to XZ Utils, an open-source algorithm widely used in servers and networking hardware running on Linux. Andres Freund, an engineer working for Microsoft, discovered the vulnerability by chance when investigating performance slowdowns.

  • The final version of the backdoor was added recently, and developers working through the weekend found that Freund likely caught it before it was distributed too widely.
  • The backdoor would have let bad actors remotely access a device and add any code they pleased, from ransomware to stealing keys for encrypted data.

Why it matters: Besides dodging a really big bullet, the incident puts a spotlight on an uncomfortable truth: The internet and everything connected to it relies on thousands of pieces of open-source software maintained by volunteers. Even the ones who aren’t actively trying to tear things down can be manipulated by interpersonal politics between admins.

  • JiaT75 — whose identity and motivations are still unknown — played a long con to become an XZ Utils admin, using seemingly fake emails to complain about the slow rate of work and positioning themselves as someone who could step up to help.

Yes, but: The openness of open-source software means developers could collaborate on a solution to the XZ backdoor and piece together what happened. If this had happened in a closed-off, proprietary system, the public would have had to wait for the company to discover the exploit, provide a fix, or even disclose that it was an issue in the first place.