Format bugs were first noted in 1989 by the [[fuzz testing]] work done at the University of Wisconsin, which discovered an "interaction effect" in the [[C shell]] (csh) between its [[command history]] mechanism and an error routine that assumed safe string input.<ref>{{cite journal |url=ftp://ftp.cs.wisc.edu/paradyn/technical_papers/fuzz.pdf |title=An Empirical Study of the Reliability of UNIX Utilities |first1=Barton P. |last1=Miller |first2=Lars |last2=Fredriksen |first3=Bryan |last3=So |journal=[[Communications of the ACM]] |volume=33 |number=12 |date=December 1990 <!--NB: paper copyright is 1989 --> |doi=10.1145/96267.96279 |pages=32–44}}</ref>
The use of format string bugs as an [[Vector (malware)|attack vector]] was discovered by [[Tymm Twillman]] during a [[security audit]] of the [[ProFTPD]] daemon {{Citation<ref needed}}name="Tymm_proftpd" />. The audit uncovered an <code>[[snprintf]]</code> that directly passed user-generated data without a format string. Extensive tests with contrived arguments to printf-style functions showed that use of this for privilege escalation was possible. This led to the first posting in September 1999 on the [[Bugtraq]] mailing list regarding this class of vulnerabilities, including a basic exploit.<ref name="Tymm_proftpd">[http://seclists.org/bugtraq/1999/Sep/0328.html Bugtraq: Exploit for proftpd 1.2.0pre6]</ref> It was still several months, however, before the security community became aware of the full dangers of format string vulnerabilities as exploits for other software using this method began to surface. The first exploits leading to successful [[privilege escalation]] attack were published simultaneously on the [[Bugtraq]] list in June 2000 by [[Przemysław Frasunek]]<ref>[http://marc.theaimsgroup.com/?l=bugtraq&m=96179429114160&w=2 'WUFTPD 2.6.0 remote root exploit' - MARC]</ref> and the person using nickname ''tf8''.<ref>[http://marc.theaimsgroup.com/?l=bugtraq&m=96171893218000&w=2 'WuFTPD: Providing *remote* root since at least1994' - MARC]</ref> The seminal paper "Format String Attacks"<ref>[http://seclists.org/bugtraq/2000/Sep/0214.html Bugtraq: Format String Attacks]</ref> by [[Tim Newsham]] was published in September 2000.
