cybersecurity
Bulletins

Researchers warn of a 'very, very scary' bug affecting major apps

Affected companies could include Apple, Twitter, Microsoft and more, the researchers said.

A computer screen with code on it

"The log4j vulnerability is a significant threat for exploitation due to the widespread inclusion in software frameworks," NSA cybersecurity director Rob Joyce tweeted.

Photo: Lewis Kang'ethe Ngugi/Unsplash

Security researchers and officials, including the director of cybersecurity at the National Security Agency, are sounding the alarm about a critical bug that could allow hackers to take remote control of targets' devices. The bug stems from a widely used logging tool called log4j, used in applications made by some of the largest technology companies in the world. The flaw was first detected in Minecraft, which is owned by Microsoft, but could also extend to companies including Apple, Twitter, and more, researchers say.

“Log4j is a very popular logging package for Java. It is very powerful and flexible and, even from my own experience, is used in almost every Java application that I have ever encountered ... The exploit is actually unbelievably simple — which makes it very, very scary at the same time," Bojan Zdrnja, senior instructor at SANS Institute, told Vice.

Logging tools record almost all activity that occurs when software is running, which allows developers to go back and fix the inevitable problems that crop up. This particular vulnerability could allow a remote attacker to craft specific messages that once logged, direct the computer to download code giving them complete control of the system.

"The log4j vulnerability is a significant threat for exploitation due to the widespread inclusion in software frameworks, even NSA’s GHIDRA," NSA cybersecurity director Rob Joyce tweeted Friday, referring to an NSA open-source software project.

Security company CloudFlare determined the log4j bug was "so bad" that CEO Matthew Prince said the company is rolling out protections to all CloudFlare users by default. "But, no matter what we are able to do, we will not be able to fully protect against all exploits of #Log4J because there are so many ways things can get logged," Prince tweeted Friday. "Critical to patch your Log4J systems.

Correction: This story has been updated to correct the names of Bojan Zdrnja and Matthew Prince. This correction was made Dec. 10, 2021.

This story has been updated to clarify how the vulnerability can be exploited.

Issie Lapowsky

Issie Lapowsky ( @issielapowsky) is Protocol's chief correspondent, covering the intersection of technology, politics, and national affairs. She also oversees Protocol's fellowship program. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University's Center for Publishing on how tech giants have affected publishing.

microsoftappletwitterhackingcybersecurity
Latest Bulletins

Mobile gaming's surprising slump is dragging down the game market

Mobile game revenue will decline for the first time in history this year, market research firm Newzoo now says in a revised outlook for the 2022 global games market. While the whole game industry is expected to contract by 4.3% — another first since Newzoo began tracking the market in 2007 — the company is predicting a 6.4% decline in mobile game spending on top of a 4.2% decline in console game spending.

Keep ReadingShow less

Amazon will lay off workers ahead of holiday season

Amazon is planning to lay off thousands of employees, Protocol has learned, ahead of what the company has cautioned will be a slow holiday shopping season.

Keep ReadingShow less

Google settles with state AGs over location-tracking disclosures

Google agreed to pay $391.5 million and make changes to its user privacy controls as part of a settlement with a coalition of 40 state attorneys general. The coalition accused Google of misleading customers about location-tracking practices that informed ad targeting.

Keep ReadingShow less

FTX files for bankruptcy and Sam Bankman-Fried is out as CEO

FTX has filed for bankruptcy and the crypto company also announced that founder Sam Bankman-Fried has resigned as CEO.

Keep ReadingShow less

Salesforce adjusted its HR policies to make firing workers easier

Salesforce recently updated its internal policies to make it easier for managers to terminate employees for performance issues without HR involvement, Protocol has learned, a move that comes as the software giant looks to shed as many as 2,500 jobs.

Keep ReadingShow less

CFPB: 'Pig butchering' and other frauds are the top crypto complaint

The Consumer Financial Protection Bureau said fraud and scam reports comprise the top complaint it receives about virtual currencies — and that customers are finding little help from companies when it happens.

Keep ReadingShow less

Musk ends remote work at Twitter

Elon Musk sent his first email to Twitter staff late Wednesday, warning of a difficult economic road ahead and telling employees they need to be in office for a minimum of 40 hours per week. "Sorry that this is my first email to the whole company, but there is no way to sugarcoat the message," he began, ominously.

Keep ReadingShow less

Binance has dropped its plan to buy rival FTX

Binance isn’t buying FTX after all. The crypto giant said Wednesday it has decided that it “will not pursue the potential acquisition” based on a “corporate due diligence” review.

Keep ReadingShow less

John Kerry just announced a new carbon credit plan at COP27

On Wednesday, John Kerry unveiled a plan for a new carbon credit program aimed at mobilizing private capital to help middle-income countries transition away from coal and move toward renewable energy.

Keep ReadingShow less

Meta is laying off more than 11,000 people

Meta announced it was laying off more than 11,000 employees Wednesday morning, slashing jobs in its recruiting department and refocusing its remaining team on AI discovery, ads, and its investment in the metaverse.

"I want to take accountability for these decisions and for how we got here," Mark Zuckerberg wrote in a message to employees that was also posted online. "I know this is tough for everyone, and I’m especially sorry to those impacted."

Keep ReadingShow less

This global emissions inventory is Al Gore’s secret weapon at COP27

Al Gore has one mission this week at COP27, and that’s to give climate negotiators what he hopes will be a critical tool to address the crisis at hand: an independent, global inventory of greenhouse gas emissions, down to the individual facility.

The Climate TRACE coalition just released the world’s most detailed inventory of global greenhouse gas emissions, which Gore, a founding member, is unveiling on Wednesday at the United Nations climate summit in Egypt.

Keep ReadingShow less

How Big Tech can deliver on its net zero plans

Way back in March, your friendly Protocol Climate team offered you some tips for writing a climate plan that doesn’t suck. Surely you took that advice. But if for some reason you didn’t, the United Nations has your back.

Keep ReadingShow less

Binance has agreed to buy crypto rival FTX

Binance CEO Changpeng “CZ” Zhao said Tuesday the crypto powerhouse signed a deal to acquire rival FTX.

Keep ReadingShow less

Salesforce plans for major layoffs

Salesforce is preparing for a major round of layoffs that could affect as many as 2,500 workers across the software vendor, Protocol has learned, in a bid to cut costs amid a new activist investor challenge and harsh economic conditions.

Keep ReadingShow less

BlockFi is back in the crypto yield business

BlockFi has introduced a new digital assets interest product for accredited investors, after previously agreeing to shut down a yield-paying crypto product that the SEC said was illegal.

Keep ReadingShow less

The DOJ seized $3.4 billion in bitcoin stolen from the Silk Road

The Justice Department said Monday it seized $3.4 billion worth of bitcoin stolen in the 2012 hack of the Silk Road dark web marketplace.

Keep ReadingShow less

Trump allies are questioning US democracy. Tech is letting them.

U.S. election infrastructure is exceedingly secure, and voter fraud here is so rare it’s comparable to your annual chances of getting struck by lightning. Despite this, former President Donald Trump and a long list of allies in the Republican Party have spent the last two years questioning the overall integrity of the U.S. election system. Many of those allies are now candidates themselves, and their coordinated attack on the country’s status as a democracy is not a relic of 2020. Some have already started repeating these “Big Lie” charges ahead of next week’s midterms. And the social platforms that help them spread their message have prepared few measures to stop it.

Keep ReadingShow less

The Biden administration's five net zero technology priorities

The White House just laid out its climate tech priorities to reach net zero by 2050.

Keep ReadingShow less

Coinbase's user losses weren't as bad as Wall Street feared

Coinbase said Thursday that it lost more users in the third quarter. But the decline wasn’t the disastrous drop that Wall Street was expecting, and that sparked a rally in the crypto company’s shares after-hours.

Keep ReadingShow less

Biden just boosted heat pumps. Here’s how to maximize the investment.

The Biden administration announced $9 billion in funding Wednesday to improve home efficiency, which could help support the installation of up to 500,000 heat pumps. With winter approaching and utilities warning of gas shortages, there are some major challenges facing the technology that money can be used to tackle.

Keep ReadingShow less

Block is cashing in on Cash App

Block beat earnings expectations, with strong growth largely fueled by its Cash App business. Traders sent shares up more than 12% after-hours Thursday.

Keep ReadingShow less

Stripe will lay off 14% of its employees

Stripe is laying off 14% of its staff, its co-founders said Thursday, as the fintech startup must start "building differently for leaner times."

Keep ReadingShow less

Roku is warning of Q4 advertising slowdown

Roku saw its revenue growth slow in Q3, and warned investors Wednesday that things are about to get worse: “A lot of Q4 ad campaigns are being canceled,” said Roku CEO Anthony Wood during the company’s Q4 earnings call. “We’re seeing lots of big categories pull back. Telecom, insurance … even toy marketers are planning on reducing their spending.”

Keep ReadingShow less

Green jobs are everywhere, but workers with the proper skills are not

Green jobs and corporate climate pledges abound, but skilled sustainability professionals are scarce.

Keep ReadingShow less

Robinhood might be showing signs of a turnaround

Robinhood reported a drop in third-quarter revenue but also a narrower loss on Wednesday, in a sign that it might be stabilizing its business as it attempts to recover from a staggering drop in the stock and crypto trading activity that fueled its growth.

Keep ReadingShow less
Bulletins