Logging system security flaw compromises iCloud, Steam accounts

0comments
Logging security flaw compromises iCloud, Steam accounts
A new security flaw has been discovered in a rather popular logging library, which is used widely by apps and services across the internet—online gaming platform Steam by Valve, and Apple's iCloud backup platform.

For a bit of a tech refresher, an app or service's logging system has nothing to do with the actual log-in process of a personal account; rather, it simply creates and keeps logs of all the recently performed activities, which can be referred back to should the app or service crash or experienced any other kind of error.

As Mobile Syrup notes, all network systems employ some sort of a logging utility, and when one such library becomes unfortunately compromised, such a vulnerability can have quite a far-reaching and serious impact on multiple levels.

The logging library in question is named "Apache Log4j," and is a Java-based logging utility created by the Apache Software Foundation (or ASF).

The vulnerability discovered in Log4j, which first became apparent on Minecraft hosting sites, essentially allows attackers to inject strings of code directly into the library. The vulnerability has been dubbed Log4Shell and, it turns out, isn't difficult to exploit at all. An attacker could simply publish chat messages on a site to trigger it, and then put whatever code they want into the logging library.

Last Friday, Minecraft rolled out a patch to stop further exploits of Log4Shell, but there are many other impacted platforms—such as Steam, one of the most popular online gaming platforms, as well as none other than Apple's own iCloud.

It appears both those platforms remain vulnerable to Log4Shell, although Log4j has since updated its library with a patch that apparently reduces the risk of exploits, although it doesn't entirely eliminate it. And because Log4j is such a widely used logging library for many services, it will likely take some time until all connected devices and accounts are completely safe from Log4Shell.

Recommended Stories

Loading Comments...
FCC OKs Cingular\'s purchase of AT&T Wireless