The XZ Backdoor

Sophia Egan

How internet vulnerabilities are made

On March 29th, Andres Freund, a Microsoft developer, noticed that one of his systems was performing worse than expected. As he was trying to debug why the system was performing poorly when using SSH (Secure Shell), a widely used protocol used to remotely log into other devices over the internet, he noticed that his problems were stemming from an update to XZ Utils, a compression algorithm (1). XZ Utils comes preinstalled on all Linux systems, which power everything from half the websites on the Internet to supercomputers (1, 2). This error wasn’t some random mistake in the code, though—his errors were coming from an exploit purposefully added into the new versions of XZ that was seemingly years in the making (3, 4).

A user named JiaT75, or Jia Tan, created their GitHub account in 2021. That same year, they began contributing more and more to XZ Utils, working their way up to becoming a maintainer of XZ—the highest position of power possible on an open-source project like XZ Utils (4). Using this power, Jia Tan merged changes to XZ Utils that added a backdoor in SSH, allowing anyone who knew about the backdoor to run code on any computer with XZ installed (3).

It is still unclear who Jia Tan is or what they wanted to do with this backdoor. Theories range from Jia Tan being a genuine developer who was paid to add the backdoor to them not being a person at all, but an organization. In reality, though, it’s nearly impossible to know until more information comes out about the exploit. Until then, this event serves as a stark reminder of the immense harm that can occur if code isn’t thoroughly reviewed before being sent to important systems—even if the person writing it seems trustworthy.

Sources:

  1. Goodin, D. (2024, April 2). The XZ Backdoor: Everything You Need to Know. WIRED. https://www.wired.com/story/xz-backdoor-everything-you-need-to-know/ 
  2. Usage statistics of Linux for websites. (n.d.). Retrieved April 20, 2024, from https://w3techs.com/technologies/details/os-linux 
  3. Akamai Security Intelligence Group. (2024, April 1). XZ Utils Backdoor — Everything You Need to Know, and What You Can Do. Akamai. Retrieved April 12, 2024, from https://www.akamai.com/blog/security-research/critical-linux-backdoor-xz-utils-discovered-what-to-know 
  4. Boehs, E. (2024, April 8). Everything I know about the XZ backdoor. Retrieved April 12, 2024, from https://boehs.org/node/everything-i-know-about-the-xz-backdoor