A new exploit called “Log4Shell” has been giving security teams at large technology companies a headache. When exploited, the vulnerability lets hackers run malicious code on vulnerable servers, and it can reportedly affect platforms such as iCloud and Steam.
As detailed by security company LunaSec (via the Verge), the vulnerability was first found in log4j, an open-source library used by multiple apps and websites for logging – which is the process of keeping a list of performed activities in order to review them later for fixing bugs or other errors.
According to security researcher Marcus Hutchins, Log4Shell could affect millions of apps around the world as the log4j library is widely used by developers. To exploit the vulnerability, hackers need to save a special string with specific characters in the log.
The Log4Shell exploit was recently seen on Minecraft servers where hackers used the vulnerability through chat messages. LunaSec claims that Apple’s iCloud is also vulnerable to the new exploit. Attackers can even trigger the malicious code through QR codes, which makes the exploit even more dangerous.
To exploit the vulnerability, an attacker has to cause the application to save a special string of characters in the log. Since applications routinely log a wide range of events — such as messages sent and received by users, or the details of system errors — the vulnerability is unusually easy to exploit and can be triggered in a variety of ways.
Apple and other companies didn’t respond to a request for a comment, but they are certainly all working to fix all the breaches as soon as possible.