Shellshock superbug: Can anything stop the hackers? Millions of users' online details at risk
A comprehensive solution to the problem has yet to be found, meaning the window of opportunity for malicious hackers remains open
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.Criminals may already be accessing people’s personal data by exploiting a massive security flaw affecting hundreds of millions of computers and other devices across the world, the UK’s privacy regulator has warned.
The Information Commissioner’s Office (ICO) sounded the alarm as the first evidence emerged of hackers exploiting the bug, dubbed “Shellshock”. The flaw – contained within a piece of software called Bash, which is used by operating systems and internet servers the world over – potentially allows any computer with the vulnerability to be remotely controlled.
Both the UK and US governments have issued national alerts in response to the bug, warning that it may compromise organisations responsible for “critical national infrastructure” such as power stations if it is not rapidly dealt with.
The Independent understands that British authorities are so far unaware of any confirmed reports of a hacker successfully compromising an important system. However, a comprehensive solution to the problem has yet to be found, meaning the window of opportunity for malicious hackers remains open.
In a statement issued today the ICO said the Shellshock flaw “could be allowing criminals to access personal data held on computers or other devices”, which “should be ringing real alarm bells” for British businesses which are legally obliged to keep their customers’ details secure.
The bug was discovered on 12 September by Stephane Chazelas, a 38-year-old French software developer who lives in Edinburgh. In an email conversation with The Independent today, he said he had uncovered the flaw “by chance”, likening it to “the kind of thought you get when stepping out of the shower”.
Asked what his feelings were when he realised how dangerous Shellshock could be, he said: “That got a bit scary. I discovered a few other vectors which were a lot worse than the original one I was reflecting on that allowed hacking in many websites – and I envisaged that the list of possible infection vectors could be endless.”
Mr Chazelas immediately reported what he had found to Chet Ramey, a 49-year-old American programmer working at Case Western Reserve University in Ohio, who maintains the Bash source code. Mr Ramey has since said he probably inadvertently introduced Shellshock alongside a new Bash feature in 1992.
Asked whether other similarly dangerous bugs might be lurking in other commonly used pieces of software, Mr Chazelas replied: “Of course, there will always be bugs, some of those will always be vulnerabilities. We can only work at making things better.”