With nothing but a web browser and an internet connection, attackers can easily hack the websites of at least 65% of Fortune 100 companies by exploiting a vulnerability that’s existed for nearly a decade, according to a new report by security researchers.
The vulnerability was discovered in a popular open-source software package called Apache Struts, which is a programming framework for building web applications in Java.
“All versions of Struts since 2008 are affected; all web applications using the framework’s popular REST plugin are vulnerable,” according to researchers at the security firm lgtm. The REST plugin is an add-on for Struts used to handle web requests, like data sent to a server from a form a user has filled out.
The vulnerability relates to how Struts parses that kind of data and converts it into information that can be interpreted by the Java programming language. When the vulnerability is successfully exploited, malicious code can be hidden inside of such data, and executed when Struts attempts to convert it.
That means intruders could easily inject malware into web servers, possibly without being detected, and use it to steal or delete sensitive data, or infect computers with ransomware, among other things.
Researchers at lgtm say they’ve developed a “simple working exploit for this vulnerability,” as well as a patch that will fix it, which has been integrated into the latest version of Apache Struts. The researchers are holding off on publishing their exploit to give users a chance to update their software. Whether hackers had discovered the bug at any point in the past nine years is unclear, but lgtm has found no evidence of an exploit being circulated online, on black market websites or elsewhere.
“At the time of the announcement there is no suggestion that an exploit is publicly available, but it is likely that there will be one soon,” the researchers said in their report.
Still, the widespread use of Struts and the ease with which hackers could exploit the vulnerability is cause for concern, the researchers said.
“Struts is used in several airline booking systems, as well as a number of financial institutions who use it in internet banking applications,” according to Man Yue Mo, a researcher at lgtm. “On top of that, it is incredibly easy for an attacker to exploit this weakness: all you need is a web browser. Organizations who use Struts should upgrade their components immediately.”