Cyber security researchers have discovered that changing the device name of an iPhone or a Tesla in the settings reveals remote server details, indicating that the server at the other end is vulnerable to the most serious Internet bug called ‘Log4Shell’.
In demonstrations, researchers changed the device names to a “string of characters” that would send servers to a testing URL, reports The Verge.
“After the name was changed, incoming traffic showed URL requests from IP addresses belonging to Apple and, in the case of Tesla, China Unicom — the company’s mobile service partner for the Chinese market,” the report said late on Monday.
The team of researchers actually tricked Apple and Tesla servers into visiting a URL of their choice.
A Dutch security researcher demonstrated the iPhone server details.
“An attacker could host malicious code at the target URL in order to infect vulnerable servers, but a well-maintained network could prevent such an attack at the network level,” the report noted.
Cyber security researchers have warned that hackers make over 100 attempts every minute to exploit a critical security vulnerability in the widely-used Java logging system called ‘Apache log4j2’, leaving millions of companies globally at risk of cyber theft.
Several popular services, including Apple iCloud, Amazon, Twitter, Cloudflare, and Minecraft, are vulnerable to this ‘ubiquitous’ zero-day exploit, now dubbed as one of the most serious vulnerabilities on the Internet in recent years.
‘Apache Log4j’ is used in many enterprise and open-source software forms, including cloud platforms, web applications, and email services.
Apache Log4j is the most popular Java logging library with over 400,000 downloads from its GitHub project. It is used by a vast number of companies worldwide, enabling logging in a wide set of popular applications.
“Exploiting this vulnerability is simple and allows threat actors to control java-based web servers and launch remote code execution attacks,” cyber security researchers said in a blog post.
Researchers at Microsoft have also warned about attacks attempting to take advantage of ‘Log4j’ vulnerabilities, including a range of crypto-mining malware.