I am not an expert in security items and exploits - so there I would like to know how this recent Log4Shell exploit can affect me as an end user.
Reading the news, the exploit can affect services like "Twitter", "Apple" etc.. But what does it mean for me as an end user? Can someone run code on my machine when I visit Apple websites or Twitter websites? Can I avoid any problems not visiting these websites and services? How else could I become affected?
The bug is relevant for applications written in Java which use the log4j library to log information originating from untrusted sources (like from the attacker). The bug can lead to execution of code with the privileges of the Java application.
In case of Twitter and Apple - this is about the backend running on the server side and not the client side application. It is not affecting the clients visiting the site. But also some client side application like Minecraft are affected.
The link you've referenced mainly includes pictures of possible affected sites. To get more detailed information see for example Zeroday in ubiquitous Log4j tool poses a grave threat to the Internet.
Taking a broad approach to "affected", this CVE theoretically allows someone to run arbitrary code on a vulnerable host. That means, under the right conditions, information you have placed on remote servers could be accessed by unauthorized third-parties. An easy example could be someone exploiting this vulnerability to exfiltrate passwords or other secrets from the service, but your imagination is the limit.
While large services like Twitter, Apple, etc. may on the surface appear susceptible to this, there are still many steps between making a DNS request (as pictured in the link) and causing real havoc. Things like outbound firewall rules could allow DNS but prevent other protocols. Ultimately we will need to wait and see, service-by-service, what they share about their experience with this vulnerability.
Can someone run code on my machine when I visit Apple websites or Twitter websites? Can I avoid any problems not visiting these websites and services?
Not necessarily, no, but certainly an attacker could theoretically alter the behaviour of the website in a way that changed its behaviour in your browser/app. Certainly limiting your usage of these sites could, again theoretically, reduce risk/reduce the likelihood of your data being readily available to an attacker. That said, there is no reason to believe that services as large as those examples don't have other contingencies in place.
