Cas van Cooten · Dec 10, 2021 · 4:19 PM UTC

Cas van Cooten

Cas van Cooten @chvancooten

10 Dec 2021

A story in three parts 😶 #log4j

1,199

238

4,266

Cas van Cooten · Dec 10, 2021 · 4:27 PM UTC

Cas van Cooten · Dec 10, 2021 · 4:27 PM UTC

Cas van Cooten @chvancooten

10 Dec 2021

Disclaimer: I'm fairly sure I'm not the first one to have tried this but I flagged it with Apple's product security team either way. I'm sure they are busy enough patching their systems 😅

Dec 10, 2021 · 4:27 PM UTC · Twitter Web App

451

Cas van Cooten · Dec 10, 2021 · 4:39 PM UTC

Cas van Cooten @chvancooten

10 Dec 2021

Disclaimer²: Normally I wouldn't share such vulns before the vendor has had a chance to mitigate. However, I chose differently in this case because 1) The issue is already very widespread 2) I likely wasn't the first one to tell Apple 3) It's a prime example of how deep this goes

539

Derek Moore · Dec 10, 2021 · 7:09 PM UTC

Derek Moore @derekm00r3

10 Dec 2021

Replying to @chvancooten

I don't get the 3rd screenshot.

Derek Moore · Dec 10, 2021 · 7:10 PM UTC

Derek Moore @derekm00r3

10 Dec 2021

Oh, the network details of the IPs that made the DNS requests...

h@x · Dec 10, 2021 · 7:19 PM UTC

h@x @On1c0n3_hax

10 Dec 2021

Replying to @chvancooten

@chvancooten According to what we already know about how e.g. Apple deals with bug bounty payouts... And this is one of the biggest companies if we compare the purchasing power, I would do the same. For the reason that nothing has changed and Apple is fleecing their developers.

iJiw · Dec 12, 2021 · 10:19 AM UTC

iJiw @AdeHirzi

12 Dec 2021

Replying to @chvancooten

Sorry im too junior for this, how about the picture 2nd? How thats code work on 2nd? Please explain detail