A vulnerability called Log4Shell found in open-source logging library Log4j leaves millions of devices vulnerable to attacks. As The Verge notes, apps and services keep a record of all the events that happen while they’re running, giving them a way to analyze how their program is performing and to figure out what went wrong in case of errors. Log4j happens to be a popular and widely used logging library, and even popular cloud services like Steam and iCloud, as well as apps like Amazon, Twitter and Minecraft are reportedly vulnerable to attacks exploiting Log4Shell.
According to Ars Technica, it first came to light after Minecraft websites started reporting about a vulnerability allowing hackers to execute malicious code in the game. It became clear soon after, though, that the problem doesn’t affect Minecraft only. Security researcher Marcus Hutchins, who helped stop the spread of the WannaCry malware, called the vulnerability “extremely bad” since millions of applications use Log4j for logging.
Bad actors could use it to remotely execute codes on servers, directing them to download and run malware that would compromise companies’ and people’s data. Worse, it’s pretty easy to exploit and could be triggered simply by posting messages. Hutchins said that in the case of Minecraft, attackers were able to execute code remotely by posting a message on the chatbox. In a blog post, app security company LunaSec said triggering the vulnerability in Apple’s servers is as easy as changing an iPhone’s name.
Log4j has already issued a fix for the vulnerability, and affected services like Minecraft and Cloudflare have already rolled out patches to protect users. Those running their own networks with Log4j may also want to patch their systems at the soonest possible opportunity if they can.