Criminals may already be accessing people’s personal data by exploiting a massive security flaw affecting hundreds of millions of computers and other devices across the world, the UK’s privacy regulator has warned.
The Information Commissioner’s Office (ICO) sounded the alarm as the first evidence emerged of hackers exploiting the bug, dubbed “Shellshock”. The flaw – contained within a piece of software called Bash, which is used by operating systems and internet servers the world over – potentially allows any computer with the vulnerability to be remotely controlled.
Both the UK and US governments have issued national alerts in response to the bug, warning that it may compromise organisations responsible for “critical national infrastructure” such as power stations if it is not rapidly dealt with.
The Independent understands that British authorities are so far unaware of any confirmed reports of a hacker successfully compromising an important system. However, a comprehensive solution to the problem has yet to be found, meaning the window of opportunity for malicious hackers remains open.
In a statement issued today the ICO said the Shellshock flaw “could be allowing criminals to access personal data held on computers or other devices”, which “should be ringing real alarm bells” for British businesses which are legally obliged to keep their customers’ details secure.
The bug was discovered on 12 September by Stephane Chazelas, a 38-year-old French software developer who lives in Edinburgh. In an email conversation with The Independent today, he said he had uncovered the flaw “by chance”, likening it to “the kind of thought you get when stepping out of the shower”.
Asked what his feelings were when he realised how dangerous Shellshock could be, he said: “That got a bit scary. I discovered a few other vectors which were a lot worse than the original one I was reflecting on that allowed hacking in many websites – and I envisaged that the list of possible infection vectors could be endless.”
Mr Chazelas immediately reported what he had found to Chet Ramey, a 49-year-old American programmer working at Case Western Reserve University in Ohio, who maintains the Bash source code. Mr Ramey has since said he probably inadvertently introduced Shellshock alongside a new Bash feature in 1992.
Asked whether other similarly dangerous bugs might be lurking in other commonly used pieces of software, Mr Chazelas replied: “Of course, there will always be bugs, some of those will always be vulnerabilities. We can only work at making things better.”