A Simple Exploit is Exposing the Biggest Apps on the Internet

Several popular websites, apps, and services such as Minecraft, iCloud, Twitter, and Steam are reportedly vulnerable to a powerful bug that could allow hackers to take control of their servers and clients, according to several security researchers.

On Thursday, researchers noticed that a popular Java logging library (log4j) had a bug that allows for Remote Code Execution or RCE, hacker lingo for one of the most dangerous types of vulnerabilities, one that essentially allows hackers to take control of the target. GitHub labeled the vulnerability as “critical severity,” and many researchers, as well as the Director of Cybersecurity at the NSA, are sounding the alarm.

“This log4j (CVE-2021-44228) vulnerability is extremely bad. Millions of applications use Log4j for logging, the act of keeping a log of any event or action that happens on a server. And all the attacker needs to do is get the app to log a special string,” Marcus Hutchins, a well-known researcher, wrote on Twitter.

Researchers at cybersecurity company LunaSec wrote in a blog that “given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe.” 

Bojan Zdrnja, Senior Instructor at SANS Institute, said in an email that “log4j is a very popular logging package for Java. It is very powerful and flexible and, even from my own experience, is used in almost every Java application that I have ever encountered [...] The exploit is actually unbelievably simple—which makes it very, very scary at the same time.”

Researchers initially said Cloudflare was vulnerable to this Log4j vulnerability. But a Cloudflare spokesperson said that the company has “no evidence of exploitation of us.”

“We responded quickly to evaluate all potential areas of risk and updated our software to prevent attacks, and have not been able to replicate any external claims that we might be at risk,” the spokesperson told Motherboard in an email.

Apple, Microsoft, which owns Minecraft, and Valve, which owns Steam, did not respond to a request for comment. 

The first reports of the existence of this vulnerability came in regards to Minecraft, one of the most popular video games of all time. Hutchins wrote on Twitter that in Mincecraft’s case “attackers were able to get remote code execution on Minecraft Servers by simply pasting a a short message into the chat box.”

Hutchins told Motherboard that he was able to confirm and reproduce the vulnerability.

As it is tradition, the vulnerability has a name, “Log4Shell,” which was invented by LunaSec. Kevin Beaumont, an independent security researcher who used to work for Microsoft, jokingly made a logo for it. 

As Ars Technica reported on Friday, “Log4j is incorporated into a host of popular frameworks, including Apache Struts2, Apache Solr, Apache Druid, and Apache Flink. That means that a dizzying number of third-party apps may also be vulnerable to exploits that carry the same high severity as those threatening Minecraft users.”

A researcher on GitHub published a blog post listing the services that are impacted. 

UPDATED, Dec. 10, 12:00 p.m. ET: This story has been updated to include Cloudflare’s comments. A previous version of the story said that Cloudflare was vulnerable, but the company denied it.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.