A massive cybersecurity vulnerability discovered in an Apache logging tool has caused chaos across the internet, as organisations rush to patch millions of web-based services around the world.
The Log4j weakness exploits a bug in Apache’s open-source Log4j v.2 logging Java library, allowing an outside user to insert their own code that Log4j will interpret as ‘real’ instructions, to devastating effect.
Log4j is highly common across huge numbers of web-based services, servers with web based front-ends, and countless devices that support some kind of web-based maintenance – such as routers, network switches and many more.
A horrifying compilation of screenshots gathered on GitHub shows how (at time of writing) hackers can already exploit the bug everywhere from the search fields of Linkedin, Amazon and Baidu, to the login pages of Apple and Cloudflare, across Webex meetings and even the chat boxes on online games such as Minecraft.
In each case hackers can use the vulnerability to have the device’s network-access ability either forward confidential information to another URL, or retrieve a payload from another website. According to reports by ARSTechnica, the trick has already been used in the wild, with researchers seeing new botnets, crypto-mining malware and more installed by hackers.