Log4j implications for Codebook users

I sent an email to the support email address but then I realized others might have the same question so I’m reposting it here for others to see:

If sites I visit have log4j vulnerabilities, could a malicious intruder use that to steal my password from that site?

I’m not worried about my machine’s vulnerability but am concerned about possibly having to reset dozens of my unique, gibberish passwords because of others vulnerabilities.

At least my passwords are all unique – thanks Codebook!

Hey @User673

Thank you for using Codebook and posting to the discussion forum with this question. I’ll be happy to help.

If sites I visit have log4j vulnerabilities, could a malicious intruder use that to steal my password from that site?

The log4j vulnerability doesn’t give direct access to steal passwords from a service, but it can be used to compromise the service as a whole and therefore gain access to your sensitive data/passwords.

Because of this, I can’t really provide you with a blanket yes or no answer to this question. Instead I’d like to call out that inputting/storing your password with a service is dependent on the service’s security. This has always been the case prior to the log4j vulnerability. For example, if a service decides to use poor security measures and store your password in plain text in a database which isn’t protected, then your password is almost definitely compromised.

Some services may have already patched the log4j vulnerability, whereas others might not patch it in the near future, aren’t even aware of it, or weren’t susceptible in the first place.

The Password Review feature within Codebook can assist in determining whether specific passwords have been compromised. The Password Review feature available in Codebook for macOS/iOS: Codebook Help - Password Review This feature allows you to review whether your password has been leaked against a database of half a billion leaked passwords compiled by security researchers (further details in the link).

An improvement we’d like to make in the future for Codebook is to have a “Password Audit” feature which would check all your passwords/emails for if they’ve been compromised, potentially provide password weakness warnings, re-used passwords, similar passwords, etc. This is something that we’ve discussed and do have long term plans for implementing, but can’t comment on a time frame for when it would be available.

Our recommendation is to keep an eye out for emails from the services you use (they have a responsibility to disclose any breaches) and the the news. If breaches are reported, use the Password Review feature to determine if those passwords have been leaked (change the breached password even if they haven’t).

Please let me know if this answers your questions and if there’s anything else I can do to assist. Thanks!


Thanks. This makes sense.

I posted the same question on your Codebook support forum since I thought others might have similar questions. You may just want to copy and paste you answer from below — it’s very good.

I had forgotten the Password Review function — I’ll start using it.

I’m glad I’m using your product.

Merry Christmas,

Al Bonnyman


Absolutely, thanks for posting the question on the forum publicly. As you mentioned, I’m sure other Codebook users have the same question.

I’m glad I’m using your product.

We’re happy to have you as a Codebook’er ! :grinning_face_with_smiling_eyes:

Merry Christmas,

Merry Christmas :christmas_tree: to you as well!