A recent incident where a backdoor was introduced into XZ Utils’ open-source software in plain sight shows how effectively malicious actors can use social engineering for their own gains.
What is XZ Utils?
XZ Utils is a set of free software command-line lossless data compressors, which include the programmes lzma and xz. It can be used on Unix-like operating systems and from version 5.0 of Microsoft Windows.
What happened with XZ Utils?
Earlier this year a backdoor in the xz package was found. Whilst it’s clear it had been inserted by someone covertly, the reasons for doing so weren’t. As this was intended for Linux distributions to use for building their packages it could have had far-reaching consequences to supply chains using this type of open-source software. Luckily, in this case, because this version of xz was not widely distributed, the impact was minimal.
How was the backdoor created?
The most interesting aspect of this hack was that it was all done using social engineering techniques over a period of years. The attack began back in October 2021, when an individual – Jia Tan – over several months, submitted harmless patches to the single-person XZ Utils project. Over time, two different users put pressure on Lasse Collins (the sole maintainer of the project) to integrate Tan’s patches faster and he eventually gave him commit access to the project.
Once the backdoor was discovered, it became clear that Tan was the culprit. What is not clear is whether the two other users were simply colluding with Tan, or whether all three were fictional characters created by one malicious actor. In either case, the backdoor was able to be introduced in plain sight.
What does this mean for open-source software security?
According to the Open Source Security Foundation this is not an isolated incident. As open-source is based on people volunteering their time and skills for good, it’s important that everyone involved takes responsibility for monitoring potential threats and maintaining secure software.
It’s also important to look out for signs of social engineering, including friendly yet persistent pursuit of a maintainer by relatively unknown members of the community, endorsements coming from new or unknown members, intentionally difficult to understand source code or deviation from typical project compile, build, and deployment practices.