Details of the LiveJournal Account Hacks

An anonymous reader writes "Brian Krebs of the Washington Post has written about the recent spate of hijackings at Six Apart's popular LiveJournal service. Hundreds of journals have now been taken over by a notorious group called 'Bantown' using a series of complicated cross-site-scripting vulnerabilities. Krebs details the recent security changes made by LiveJournal in response to the takeovers." From the article: "It is unclear whether LiveJournal has managed to close the security holes that the hackers claim to have used. The company says it has, but the hackers insist there are still at least 16 other similar JavaScript flaws on the LiveJournal site that could be used conduct the same attack. [Bantown] group members said they plan to turn their attention to looking for similar flaws at another large social-networking site. "

Blog

[Ribbo.com]

Maybe they should write about how they did it in their blog, I mean someone elses blog.....

Re:Blog

[dirvish]

That is about all they can do. What is the point of hacking a livejournal account? I guess you could put up some ads...

I suppose they aren't going do the nice thing of explaining these 16 supposed holes to livejournal.

Re:Blog

[Ribbo.com]

The correct answer to any "What is the point" question is always "Because they can". Just like the idiots who insist on being the first to post to any new thread, others also crave "being the first" no matter how pointless, insignificant or downright rude it is. It will take a much smarter person than me to work out why they do it (maybe they actually want a job in internet security!)

Re:Blog

[pipingguy]

It will take a much smarter person than me to work out why they do it (maybe they actually want a job in internet security!)

I'm not smarter than you but I know that those who fuck things up for the rest of us tend to be young (chronologically or mentally) interested in "making a mark". Like peeing to claim territory.

I'm not immune to the occasional harmless troll myself, but this is just pure abuse.

Re:Blog

[EternityInterface]

Any intelligent fool can make things
bigger / more complex / and more violent
It takes a touch of genius
and a lot of courage
to move in the opposite direction
(Einstein)

I'd like an explanation of why Flash isn't allowed beyond "shit coding". BTW, You cannot use JavaScript [...] These scripts pose a security risk [..] and are automatically stripped [...] (Last Updated: October 30th, 2005)

Re:Blog

[mmkkbb]

if you can explain that, you can explain all this weird world

Re:Blog

[Shadow+Wrought]

What is the point of hacking a livejournal account?

Replacing crap with more better crap? Maybe they wanted to show of their l33t skilz and still claim moral obligation as a defense.

Re:Blog

[Peganthyrus]

Getting attention. Causing "drama".

It worked, too. They got their group's name mentioned on Slashdot. Pretty good attention if you're a geek.

Re:Blog

[springbox]

[encyclopediadramatica.com]

I'm a little put off how there appears to be multiple ads for ban saws on the side of the main page

Re:Blog

[turkeyphant]

It's worse than that - I'm sure many people use their livejournal password and email address on PayPal, eBay and other secure sites.

Poor Emos!

[Ardeocalidus]

Nooo! Poor Emos! I can just see them shivering in a cold, dank corner, cutting themselves because their journal was hi-jacked. What is becoming of this world?!

Re:Poor Emos!

[hkgroove]

I can just see them shivering in a cold, dank corner, cutting themselves because their journal was hi-jacked.

No, they wouldn't. Because there's no longer a reason to cut themselves! No one can read or comment about it.

Re:Poor Emos!

[j_kenpo]

Damned, Now I know I'm old. Apparently the whole "Emo" scene sprouted up around me, and I had no idea. I had to look that up. Scarry... now get off my lawn.

Re:Poor Emos!

[ZeroExistenZ]

<Pax> I wish my lawn was emo, so it would cut itself.

Re:Poor Emos!

[danpsmith]

Nooo! Poor Emos! I can just see them shivering in a cold, dank corner, cutting themselves because their journal was hi-jacked. What is becoming of this world?!

It was my understanding that they'd be doing that either way. =P

Re:Poor Emos!

[EternityInterface]

"There seems to be a lot of latent hostility towards teenage girls. WTF? Your outlet is geeking out on Slashdot. Theirs is LJ. And how do you all know so much about the content of LJ anyway?" (Earlier discourse on the same subject)

Re:Poor Emos!

Current mood: owned
Current music: Goatse.mp3

Re:Poor Emos!

[dr_dank]

Nooo! Poor Emos! I can just see them shivering in a cold, dank corner

Don't worry, I don't let those pansies anywhere near my corner.

Re:Poor Emos!

you're not the only one.

Re:Poor Emos!

[rolandog]

Bash rocks!!! Great quote.

Re:Poor Emos!

[TheScorpion420]

You haven't got a clue how accurate you are with out being funny. I used to date a girl I would not consider a emo chick. Wow, the things she would do for attention.

Re:Poor Emos!

[mdwh2]

Considering the mainstream perception of the stereotypical "geek", I always find it amusing when people on Slashdot bash emo and/or Livejournal ... Eg, "smelly geek who posts to Slashdot all day from his mum's basement" is hardly high up on the ladder of admired stereotypes ;)

(And on a more serious note, in my experience self-harm seems to be pretty common amongst "geeks", certainly more so than average.)

Re:Poor Emos!

[camg188]

Hey, LiveJournal has some entertaining blogs. Check out RandomPictures and WTF at LiveJournal.

Livejournal hacks?

Someone took all the amateur porn and replaced it with goatse?

Re:Livejournal hacks?

[gEvil+(beta)]

I've seen your pictures and can definitively say that the hackers were doing the world a service.

Re:Livejournal hacks?

[Max+Threshold]

Something like that. I found out about this whole incident about a week ago when visited the journal of a known non-troll in one of the LJ communities I read. Bantown had taken over her journal and posted a picture of someone fucking a plucked chicken carcass.

Wake up call

This is a wake up call to people who use these services... sites like MySpace, LiveJournal, all have fancy features that do things that "users want", but at the expense of security because users don't think of/realize/care about security unless it actually results in a successful hack against them. Those who have hacked LJs might want to consider running their blog using plain text instead of all that wacky Javascript (not exactly necessary for something as basic as text on a web page). Ya get what you pay for... I'd be pretty choked if I was a LJ user who paid for a membership and had my pages all highjacked beyond repair, though...

Re:Wake up call

[Lehk228]

myspace already got owned by a javascript worm that worked it's way into millions of profiles.

now instead of fixing the site it asks you for your password 50 f*cking times a day.

Re:Wake up call

[supermatt1000]

I wouldn't be surprised if MySpace was the next "large social-networking site".

Re:Wake up call

[deep44]

This is a wake up call to people who use these services... sites like MySpace, LiveJournal, all have fancy features that do things that "users want", but at the expense of security because users don't think of/realize/care about security unless it actually results in a successful hack against them.

While I agree with your point, keep in mind that the accounts in question were compromised when the account owner clicked on a web link pointing to malicious JavaScript, which then stole the appropriate LiveJournal cookie. A plain text blogging service wouldn't stop this sort of thing; this problem was centered around authentication & session management.

Re:Wake up call

[Peganthyrus]

LJ disallows Javascript in user styles or posts for precisely this sort of reason. Flash too. No, I don't know how these people managed to get a Javascript-based attack to work; presumably they found some hole in this ban of Javascript.

Re:Wake up call

[dirvish]

Ummm, no suprise, 'cause it is already. The company that created recently sold for half a billion dollars.

Re:Wake up call

[pilgrim23]

In other news, another group of hackers sometines called "the FBI" used a known exploit, sometimes called "the Warrant" to copy records from mnay major search engines.

Re:Wake up call

[EternityInterface]

And big G is here to save the day, except that weird thing about going beyond flagging spammers to "potentially offensive or illegal" content.

Re:Wake up call

Useless posts, yeah. They just rock.

Re:Wake up call

[TriZz]

...actually, myspace no longer allows the use of javascript.

I think it's unlikely that they'll be able to get in there.

If they do, I'll cut myself...

...alot.

Re:Wake up call

[Neoprofin]

1) The problem was actually in IE's ability to fix and execute broken CSS code which allowed him to input a broken call to a script to get it past the filters and then have IE fix and execute it. THe author himself took down his profile to stop the spread and after a few hours of downtime the problem was fixed, in fact there's a /. article about it. 2) You have to enter your password every time you log out, which is every time you close your browser. Never close the browser never log out. Simple.

Re:Wake up call

[Lehk228]

it's more than just every time you log out almost any time you follow a link form outside myspace in you have to log in, even if you have another window already logged in.

1998 called and wants their hairy spaghetti code website back

Re:Wake up call

Plain text? We should just epoxy sticky notes to the wall, that's completely secure!

Re:Wake up call

[pennyher0]

Actually, the hacks most likely weren't related to user-end features. javascript is disabled on all user-controlled pages (no idea about the internal workings of lj... it's open source, but I know nothing about how it works).

Re:Wake up call

[njyoder]

Javascript and related features are disabled by default. The issue is that they were able to evade the Javascript filters.

Re:Wake up call

[camg188]

It doesn't suprise me that they have all kinds of malicious script problems. My 14 year old daughter is a typical blogger on Xanga. She spends most of her time editing her layout, which involves: 1.)seeing something she likes on another person's blog. 2.) copying the script from their blog They have whole blog's that contain nothing but scripts to add "cool features" to copy to their personal blog. Most of the scripts seem to involve CSS manipulation. She doesn't know the first thing about coding, but has added all kinds of "features" to her page. I've explained to here the dangers of doing this, but having a cool looking blog far outweighs the dangers to a typical teenager.

Not really a shock

[TerenceRSN]

Considering the majority of personal blogger write about their personal lives and reveal the most secret of details does it surprise anybody that they're extremely susceptible to targeted attacks? If you're writing about your latest illegal activities or at least embarrassing moments you probably don't aren't going to be too careful about keeping your username and password secret.

I know I'm generalizing but there have been plenty of stories here and in print media about all the trouble people get themselves into by posting things about their teachers, school mates, etc. on their blogs and myspace type sites.

Of course nobody deserves to have their privacy violated, but some people aren't very careful with it to begin with.

Oh dear!

[Junky191]

How on Earth are all those white kids in the suburbs going to express their teen angst now?

Re:Oh dear!

[SeekerDarksteel]

I guess they'll have to revert back to razor blades, green day, hot topic, and spoken word night at the corner coffee shop.

Re:Oh dear!

[smittyoneeach]

What a dumb question.
Clearly, they will use the new <lj-hijack> tags to drone on about the stupidity of parents, education, and responsibility on someone else's journal. ;)

Re:Oh dear!

Now come on, its not just white kids in the suburbs whining about how daddy refused to buy them the optional little headlight wiper blades for their porche... its a site for shitty bands too!!

Re:Oh dear!

[StrawberryFrog]

How on Earth are all those white kids in the suburbs going to express their teen angst now?

How on Earth are all those white kids in the suburbs going to express their teen angst now?

I wouldn't know mate. I'm in my 30s, and I use LJ to keep in touch with family and friends around the world (UK, Australia, US and South Africa mostly).

Or at least I did, until my account was hacked and locked today. A good number of other accounts are in the same boat. I just hope that the LJ admins sort it out soon. My account email address was changed to bantownlj292@mailinator.com . I just hope my posts are OK. I can't even tell at present.

Re:Oh dear!

I use LJ to keep in touch with family and friends around the world (UK, Australia, US and South Africa mostly).

Ever try email?

Re:Oh dear!

[ZeroExistenZ]

Check your inbox

Mailinator is an annonymous "spamtrap" email system accessable for everyone.

Re:Oh dear!

[StrawberryFrog]

Ever try email?

What, I should write emails to everyone I know saying "The weather in London is rubbish today....". Sorry, but different technologies are best suited to different things. I let them all know that I have an LJ, and those that want to will go and read it, if and when they want to.

Re:Oh dear!

[StrawberryFrog]

Update: We're back! Thanks, "Natasha, LiveJournal Abuse Team" I really apprecate the swift reinstatement.

Re:Oh dear!

Email? Pah. I can't have fancy graphics, funny fonts, flashing text, and whiz-bang formatting in an email.

I mean, if I resort to that, what will my friends think of me? Some of them might even think I've fallen on hard times. I must maintain appearances, after all.

Re:Oh dear!

[cno3]

By buying and listening to gangsta rap?

Re:Oh dear!

[pennyher0]

You should be able to reclaim your account if you have access to a previously validated email address.

I'm surprised the lj support forums aren't flooded with requests on this. i'm only seeing half a dozen, and they're all being replied to with messages along the lines of "thanks for your report. we're aware of it. the errors happened during regular maintenence." That's interesting.

Re:Oh dear!

Good point, bad example. Now if the weather in London WASN'T rubbish, that might be blog worthy.

Re:Oh dear!

[tylernt]

"the errors happened during regular maintenence."

So... LJ getting hacked is a regular occurence? Got it.

Re:Oh dear!

Sounds more like a irc-type of message to me.

Re:Oh dear!

The weather in London is rubbish today

Yeah, you must get tired of writing that every day. :-)

Re:Oh dear!

[Achromatic1978]

That's what E2 daylogs are for. ;-)

Re:Oh dear!

[gameboyguy13]

No, that's Myspace.

Re:Oh dear!

[mdwh2]

Put simply, email is push technology, whilst the web is pull technology.

When it comes to letting people know about you, for the most part it's a lot better to let other people choose whether they want to read it, rather than you having to decide who might want to read it. On the one hand, you might miss out emailing some people fearing they are uninterested, and on the other hand, you end up spamming people who aren't interested.

When you take into account commenting, the "spam" issue becomes a far bigger problem. It's bad enough if a friend emails a whole load of people when I'm not really interested - but it's much worse when I get spammed loads of messages, because people are having an email conversation about it. With something like LiveJournal, you can choose whether to follow it or not.

Email is great for 1-to-1 communication, but it's not up to doing the job of what LiveJournal can be used for.

Re:Oh dear!

[pennyher0]

well, I'm sure they want to make it sound like they knew it was happening and that it isn't the fault of something beyond their control.

Lj doesn't want to instil panic in all their emo angsty users. They might cry or something.

Re:Oh dear!

[JhohannaVH]

Hey there Froggeh...

You can find me on LJ - but yeah, I agree with you, especially when I have a lot of friends that have them and update their stuff regularly too. I have a question about your account getting hijacked though... How do you update it? At home, I use the SeMagic client, I have a complex password, and I don't ever leave it logged in. BUT! At work (behind 2 firewalls), I have to use IE6, but it's fully patched, and most of everything is blocked incoming and outgoing. I can't even access any of my storage.. which *sucks*. :P

I'm definitely changing my password right now, though. I've always used a multicomplex one.. and I bind everything to IP. Interesting... I'm certainly going to read up more on the vulnerabilities. :)

Thanks! And I hope the weather in London stays well... my girlfriend is visiting there for 10 days, and I know she'd prefer to see her family in the sunshine. :)

Re:Oh dear!

[StrawberryFrog]

I have a question about your account getting hijacked though... How do you update it?

I'm using firefox 1.5 on WinXp at home and at work.

I don't know if this had anything to do with what client I'm using, I thought it might have been between the crackers and the LJ server.

The passsword was not a dictionary word, has been changed. But I do sometimes leave it logged in with the cookie.

Re:Oh dear!

But it's just so much more FUN for certain folk to wave their virtual phalluses around and grunt about How Sooooo Suuuuperrrrior they are to those icky LJ users.

Funny thing: The Slashdotters who actually know what they're talking about, aren't the ones joining in on the Ten Minutes Hate-On for the LJ users.

Mood: Sad :(

[Real+World+Stuff]

Cross Site Scripting exploits are not going to go away until the fundamental way these these operates changes.

Re:Mood: Sad :(

[DaveJay]

Of COURSE XSS scripting attacks can go away, if programmers would take the most basic of precautions. All you need to do is make sure that ANY input you accept from a user ONLY has allowed characters.

This is a problem of ignorance ("I didn't think of that!") and laziness ("oh, nobody would bother figuring that out"), not of technical problems.

I bet it's myspace

[janvo]

I'm betting that this group will take down myspace accounts next. That website is notoriously bad for bugs and well, in my opinion is just horribly written. I guess we'll see what 'Tom' has to say ... :)

Re:I bet it's myspace

[dj_krztoff]

Probably something to the effect of "We are working on the problem with our code being wide open to attacks, and the fact that I am a douche ... please stop emailing me" That seems to be the common syntax for his "notifications"

Re:I bet it's myspace

[porkThreeWays]

Horrible doesn't begin to describe the awful coding. I've seen bugs as amateur as off-by-1 bugs in their pagination code. It's like the don't check it at all. If you've got 25 posts, and the page size is 25, why am I seeing a next button? Oh well, *click* (blank page comes up).

Not to mention random bug after random bug that makes navigation difficult to impossible at times. They're extremely lax input validation makes it possible for spammers to set up camp and add 50,000 friends, while appearing to have only 12, and 0 comments.

And I really don't know how they get away with a 3 hour scheduled downtime every night.

All in all, it's one of the worst coded blogs I've ever seen, and seems to be the most popular.

Re:I bet it's myspace

[MikeFM]

I'd be more impressed if they could index every dirty picture on MySpace and copy them all out so you could look at them in some linear way without having to work through all that annoying crap about peoples lifes. Gee at least that'd be useful.

Re:I bet it's myspace

Um, that's what google is for...

Re:I bet it's myspace

[Achromatic1978]

The fuck is that? It's like someone snuck a camera into a lapdancing club.

Smells like freedom downtime

Big numbers make for good stories, you have to wonder if Bantown has actually comprised as many accounts as the reporter says they have. Looking at the latest Live journal news post, they don't seem to claim that they've closed all the holes, just that they've taken steps to make their service more secure.

How come there are no details on the exploit?

Re:Smells like freedom downtime

[sharpestmarble]

> How come there are no details on the exploit?

Because that'd just serve as a how-to for script kiddies. That's something we don't want to see happen.

Re:Smells like freedom downtime

Do you really need details? XSS vulnerabilities are trivially easy to find. You can even write a script to automate the process.

Re:Smells like freedom downtime

[gameboyguy13]

Because if you supply details before stuff is fixed, people decide to try it and cause more damage?

Re:Smells like freedom downtime

Obviously you've never heard of 'full disclosure' or 'security through obscurity'.

Legal Implications

[eldavojohn]

In LiveJournal's TOS, they state:

JOURNAL CONTENT

Guidelines for posting to your online journal shall be as follows:

1. All Content posted to LiveJournal.com in any way, is the responsibility and property of the author. LiveJournal is committed to keeping the Service in decent standing for all audiences but is not responsible for the monitoring or filtering of any journal Content. Within the confines of international and local law, LiveJournal.com will generally not place a limit on the type, or appropriateness of user content within journals. Those users posting material not suitable for all audiences must agree that they are fully responsible for all the content they have posted anywhere on the service. Should content be deemed illegal by such law having jurisdiction over the user, LiveJournal.com is committed to submitting all necessary information to the proper authorities; ....

So it sounds like they might be in trouble with people losing property, however also in the TOS:

MODIFICATIONS TO SERVICE

LiveJournal.com reserves the right to modify or discontinue, temporarily or permanently, the Service (or any part thereof) with or without notice at any time. You agree that LiveJournal.com shall not be liable to you or to any third party for any modification, suspension or discontinuance of the Service.

And there are other parts that make it sound like LiveJournal would never be in trouble for this unauthorized access parts. But really, who would bother to post their thoughts and words on a site that has no garauntee of saving them? At any minute, LiveJournal could format its servers and databases and start over with no one able to say anything.

Re:Legal Implications

[porkThreeWays]

This may apply to the free service, but it would never fly for their pay service (I think they still have a pay service anyway). Just because you write something doesn't make it legal or enforcable. Lawyers usually write this sort of garbage and write it in a manner which seems to obsolve them of any sort of legal responsibility ever. In the real world many of these terms don't stand up in court.

Re:Legal Implications

[aiken_d]

Fortunately for you, Slashdot does promise to save everything, come hell, high water, nuclear war, or a buyout. So your thoughts and words here are safe forever!

Oh, wait...

-b

Re:Legal Implications

[Unknown+Lamer]

And there are other parts that make it sound like LiveJournal would never be in trouble for this unauthorized access parts. But really, who would bother to post their thoughts and words on a site that has no garauntee of saving them? At any minute, LiveJournal could format its servers and databases and start over with no one able to say anything.

Using a client like Logjam (or emacs lj-update) you can synchronize your journal with an offline copy. The LJ code base is Free Software (well, most of it anyway) so you could always set up your own LJ server. The local entries in logjam are just a directory tree of xml files (with each xml file being a month of entries in a very simple xml format), and it wouldn't be difficult to write a program to translate them into any format you wanted (I could do this fairly quickly using Scheme + SSAX). The only issue left would be external images. I store all of my lj related images on my site in a special dir so I would still have those, and you can now insert images from Scrapbook into your journal so someone could write a ScrapBook backup script, and then you could write a quick perl script to find/replace all of the scrapbook references with whatever host you wanted to copy the images to.

As long as you keep a local backup of your journal (which is easy to do with tools easily available for any system) it would be fairly painless to move them anywhere else. The tasks are simple enough for even a not-so-good programmer to code up into a simple application for others to use.

Re:Legal Implications

[Max+Threshold]

That's why there are personal backup clients for anyone who cares.

Re:Legal Implications

[MooUK]

If they were to intentionally delete everything, then they would likely go bankrupt very shortly after.

Re:Legal Implications

[mikiN]

If Slashdot doesn't save your postings, Google will (at least for some period in time).

Re:Legal Implications

[gameboyguy13]

And the Wayback Machine will save it too. Mostly.

What a DANGEROUS thing to do...

[PortHaven]

How many livejournalers are unstable?

Whatch, some overly depressed LJ'er is going to flip out and take a sledgehammer to the skulls of the perpetrators. Very dangerous to mess with the jouranls of unstable people.

*click*
*cluck*
*cluck*
*cluck*
*cluck*

Just ignore the sound of me loading rounds into my clip...you didn't hear that...

Re:What a DANGEROUS thing to do...

[RollingThunder]

The perpetrators just need to make sure they never visit the victim's parent's basements.

Re:What a DANGEROUS thing to do...

[rkanodia]

*click*
*cluck*
*cluck*
*cluck*
*cluck*

Somehow, I don't think they're going to be very afraid of the mechanical chicken you just activated.

Re:What a DANGEROUS thing to do...

[Firewalker_Midnights]

I think he was actually loading the famed "Chicken Cannon"

----

But really, what was the point of hacking livejournal? Did someone write some Linkin Park lyrics incorrectly and the hackers decided to correct them?

Re:What a DANGEROUS thing to do...

How many livejournalers are unstable?

What? Are you afraid that they will commit myspace suicide because they lost their journal?

Re:What a DANGEROUS thing to do...

[PortHaven]

You'd be amazed...with the number of people who are afraid of clowns, and robotic clowns all the more,...the famed mechanical rubber chicken can be frightful to many.

Oh no!

[BigZaphod]

from the article:

Bantown claims to have figured out a way to subvert that test, and to have even released a free, open-source program that others could use to do the same.

I like how it was pointed out that this little program is "open-source" almost as if that's a bad thing.

Re:Oh no!

[Billosaur]

Bantown claims to have figured out a way to subvert that test...

CAPTCHA images are useful, but not unbreakable. If they were planning on using that as their only line of defense against scripts, they were really kidding themselves. Simple distorted and discolored text is difficult but not impossible to crack. The CAPTCHA Project is working on more sophisticated forms, using multiple words, image groups, and even audio.

Re:Oh no!

[brontus3927]

Care to point out some of these cracking tools? I'd really like to be able to join a yahoogroup in under 3 tries

Re:Oh no!

[starwed]

Livejournal itself is open source, but I rarely see that mentioned.

Re:Oh no!

[makomk]

Bantown claims to have figured out a way to subvert that test, and to have even released a free, open-source program that others could use to do the same.

Seems to work, too - took under 4 seconds to process the sample captcha I captured (on my aging 1Ghz Duron), and got the right result. I'm not sure what it's success rate is like, and I'm not going to try testing that. Looking at the captcha, it doens't look that secure, to be honest (one font, moving letter heights, trivially-ignored noise, no distortion).

Re:Oh no!

[evanh]

For all the windoze weenies:
    Saying it's open-source is equivalent to saying it's a free download. In the unix world the user programming model is source code compatible rather than binary code compatible so offering a binary only is very limiting.

Evan

Well...

[Ardeocalidus]

I'm really not surprised. The LJ engine has been extremely vulnerable and these 0days are just more proof that corporate entities don't pay attention to security the way they should. The engine is written in PERL and needs a base of extensive javascript.

Its a good thing that only a few sites run the LJ engine. They tend to be rather short-lived because of LJ's vulnerability. One of the others running the LS Engine is DeadEngine, a journal for gothic, emo kids (http://www.deadjournal.com/).

Re:Well...

1. Why does it matter that it was written in Perl?

2. I don't think it "needs" javascript. It is not any javascript from the LJ code that is causing the problem, it is javascript entered by users.

Re:Well...

[njyoder]

They're not 0-day, LJ is just really slow in keeping up with these things. I noticed one recently fixed XSS bug was fixed in Horde/IMP over a year ago.

Is Six Apart able to deal with this properly?

[mpontes]

I've been following this lately, and Six Apart's behaviour on this situation seems quite lacking. If what the article says is true and bantown have been just stealing cookies, the only measure they took, a recent change in LJ's subdomain policy seems quite pointless, since cookies are binded to .livejournal.com, anyway.

They also don't tell us which browser is affected on the newspost. How can we be safe if we are not informed? Can Six Apart actually deal with this in a professional way? I've been noticing LiveJournal is really slow and it hangs a lot lately. It seems that they know nothing about security and are just randomly mashing buttons in a attempt to hit the nail in the head.

Is Six Apart that incompetent that they can't prevent such attacks after they have been going for days, or is this bantown group really that good?

Re:Is Six Apart able to deal with this properly?

from a comment beneath the Post article, apparently made by the author himself:

Wiredog -- Shoot, I forgot to address that in the posting. LJ considered the flaw related to a Firefox problem, but Bantown says that's not really the issue here. From my discussion with the Bantown people:

"Livejournal assumed the majority of our javascript injection attacks involved malicious code implanted in style sheets or user posts, and they have heavily audited this area for bugs. The changes they made were for a Firefox-specific bug-- they assumed it was the key to the XSS attacks that we were doing. Ours affect all browsers though, and we were not using this Firefox-specific vulnerability."

I'm sorry I don't have more info about the FF specific bug.

Posted by: Bk | Jan 20, 2006 1:03:27 PM

Re:Is Six Apart able to deal with this properly?

[rplacd]

I've been noticing LiveJournal is really slow and it hangs a lot lately.

Are you a paid user? Paid users end up in a higher priority queue, so they get their pages a lot faster. For example, I just loaded my friends page, and this is in the comments near the top of the page:

LiveJournal ExpressLane: You received this page before 4 free users, saving approximately 1 seconds!

Re:Is Six Apart able to deal with this properly?

[davidsyes]

First of all, NONE of my e-mail or forum memberships log in automatically. Even though I live alone and even tho my desktop automatically locks (and, I CTRL + ALT + L when I leave before the screen saver locks). I purge the cookies after each site logon, even when I switch between two IDs on the same servicing site.

On a site of which I have a membership, I logged out, closed the tab for that site, went into: /home/username/.kde/cache-username/http/letter-of- site-being-talked-about

and then disconnected the ethernet to the cable modem. HOURS later (like 10 hours later) I returned home and clicked on one of the URLs of my own profile (or, maybe it was another profile from which I traversed to my own when I realized what was going on here...).

That site uses .asp or .aspx stuff. It's intermittent, but I have gotten into my own profile at least TWICE during the past month or so.

Why the hell don't they give us an OPTION to use encrypted logon AND session use, not just logon?

But, I suppose the connection is meant to time out after say 10 seconds of a CAT-5 pull, or immediately when the browser aborts or the user logs off. But, 10 HOURS????

Re:Is Six Apart able to deal with this properly?

Hey davidsyes, the library called and they want their book back.

Re:Is Six Apart able to deal with this properly?

[stevencbrown]

Where do I sign up? Because the seconds really count for people who want to waste their day reading whiney kids moaning on the internet.

Re:Is Six Apart able to deal with this properly?

[Max+Threshold]

The LiveJournal development and support staff have always been incompetent. In the past, they've compensated paid users with extensions on their subscriptions because of extended service problems they didn't seem to know how to fix. Most recently, they moved their servers from Seattle to L.A., and for the next month, nobody was receiving their comment notifications. They claimed to have fixed it, then realized they hadn't, then sort of brushed it under the rug. I'm still missing all my comment notifications from the month following November 22, 2005. (And there's no other way to follow threads in communities.)

In many ways, LiveJournal is becoming one of those sites that people only use because it's well-established. If it were new, the glaring problems with the software that runs it would leave it DOA... much like Photo.net and Slashdot.

Re:Is Six Apart able to deal with this properly?

[njyoder]

The new cookie system hasn't actually been implemented yet. They've only implemented the first part, which involves changing the subdomain system. The new cookie system will involve cookies for each subdomain and various redirects to ensure that you can only compromise individual journal access at best. Even then, I'd imagine they'd set those subdomain cookies to expire quickly so you'd have to act on them fast.

Re:Is Six Apart able to deal with this properly?

[Khyber]

Is Six Apart that incompetent that they can't prevent such attacks after they have been going for days, or is this bantown group really that good?

Your answer is yes for the first part, no for the second.

I have almost NO programming knowledge/experience. However, with my analytical abilities, I called them out on their telling *ME* to change my password (because it's too easy to guess.. my ass) by telling them they had no reasonable idea about security. I KNEW THIS SHIT WOULD HAPPEN SOONER OR LATER. I hate being right.

Ahhhhh security.... in Web 2.0 land

[TedTschopp]

As we move more towards applications that depend on the JavaScript enabled client (AJAX and all his relatives) we will see more of this hacking.

On the bright side, it will eventually get people to code securely in a non-trusted enviroment becuase the source code is not only available, but changeable.

Sadly, there will be a bunch of rough lessons between that wonderful future and what we have right now, espeically with all the focus on WEB 2.0 and Ajax.

Dear Bantown Members,

If you're going to hack myspace, please start here.
And can you disable the tag while you're at it?
Thanks,
Nathan

Even more appalling...

[Orrin+Bloquy]

...they hacked into my LJ and corrected all the meter in my "I am sad/I want to die" goth poetry!

Re:Even more appalling...

[kadathseeker]

From bash.org...

flook: bugger, I accidentally printed a page of all black and now I have no ink left :-/

Steve_Cajun: flook> practising your goth poetry then? :)

Re:Even more appalling...

[starwed]

I just don't get the massive amounts of these jokes that appear on slashdot. Almost everyone I know uses LJ, and none of them use it to post goth poetry. They just use it as a blog...

Re:Even more appalling...

[original_nickname]

In my lonely midnight darkness I agree,
I drain my heart in a blog there for free,
The entries are often midnight black,
but not melancholy as if they were hack
ed by a nefarious script kiddie from afar,
with satanic heart and dark workings of java.

In my lonely wanderings never do I espy,
a blog so dark and gothic like that of I,
I howl at night with terror at his,
and knowing this poem just takes the piss.

Well...

[PornMaster]

It means that people can see how it's done and try modifying it, instead of just running a binary.

In the same way that having the source can be good when used in positive ways, you've got to admit that it's also bad when used in negative ways.

Oh dear!-SlashBlog

"How on Earth are all those white kids in the suburbs going to express their teen angst now?"

Post to Slashdot.

Re:Oh dear!-SlashBlog

[charlesnw]

No. Never!!! They must be stopped. Slashdot is a high quality site with lots of useful content and posts that are insightful and add meaning and value to a discussion.
I must write exploits to wipe myspace from the face of the earth. The resulting flood of people complaining on livejournal will cause it to melt down. And they thought a slashdotting was bad. Hah! Those won't be dummy accounts that are getting created and used. No they will be real accounts. Of course the scary thing is that all these kids will get together and pay someone to build another myspace using the LJ code. Then it will rise up and overtake the world. Grrr. I thought I had it all figured out.

*goes back to drawing board*

Details are scarce.

[Peganthyrus]

It would've been nice if LJ's news post on starting to fix this vulnerability had said which "popular browser" was affected.

Also, I somehow find myself suspecting that the anonymous person calling this 'Bantown' group 'notorious' is probably a member of it.

Details are scarce; all I could find in the LJ_Dev community relating to this wasone post about the effects of the first phase of the fix. Especially check Brad's comments.

Re:Details are scarce.

[tsu+doh+nimh]

Looks like this wasn't really a browser problem. I just spotted this in the comments section of the Post's story, probably written by the author:

"Wiredog -- Shoot, I forgot to address that in the posting. LJ considered the flaw related to a Firefox problem, but Bantown says that's not really the issue here. From my discussion with the Bantown people: "Livejournal assumed the majority of our javascript injection attacks involved malicious code implanted in style sheets or user posts, and they have heavily audited this area for bugs. The changes they made were for a Firefox-specific bug-- they assumed it was the key to the XSS attacks that we were doing. Ours affect all browsers though, and we were not using this Firefox-specific vulnerability." I'm sorry I don't have more info about the FF specific bug. Posted by: Bk | Jan 20, 2006 1:03:27 PM"

Re:Details are scarce.

[Peganthyrus]

Yeah. And, of course, are the Bantown people telling the truth, or lying?

I mean, a little googling found what looks to be their real site, with a tempting file in their source repository called "pw-lolercaust-0.2.tar.gz"... that's only 2k. Bet it's a pathologically deformed .gz that expands to many, many gigs of "LOL" over and over again.

Re:Details are scarce.

YHBT YHL HAND

Re:Details are scarce.

[nutsy]

Let's see, I checked the file with 'gzip -l' and... OH MY GOD IT'S AN ENTIRE 8192 BYTES LONG! WAY TOO BIG FOR MY AMIGA TO HANDLE!!

Another problem of the user.

[mendaliv]

From TFA:
Bantown members said they created hundreds of dummy member accounts featuring Web links that used the Javascript flaws to steal "cookies"...

And they claim to have the cookies for nine-hundred thousand accounts?!?! I'll admit that's probably a bloated number, but even ten percent of that is impressive.

Honestly, for all the money we put towards advocating safe sex, we should be putting at least a little towards safe browsing.

How many worms/virii/exploits in the past two years have required the victim to be duped into clicking on a mysterious link, or running a file in a mysterious e-mail?

I'm not saying that I mind the earnings when I get to clean up one of those infected computers, but it's just astounding.

Re:Another problem of the user.

[heinousjay]

Honestly, for all the money we put towards advocating safe sex, we should be putting at least a little towards safe browsing.

Yeah, I agree. We need to reset our priorities. In the face of having my bad poetry on LiveJournal inaccessible, what harm does AIDS really do?

Re:Another problem of the user.

[MrSippyCup]

I'm tired of formating my drive every year or so becuase of the stupid combination of Windows and the internet. More work needs to be put into emulation for linux so I can enjoy my games on a good system.

Great!

[blake3737]

Great! While they're in there hacking around they can fix all the spelling errors and bad grammer so prolific in LJ

Re:Great!

[Stephen+Williams]

Then, they should break into Slashdot and fix the spelling of "grammar" in your comment ;-)

-Stephen

Re:Great!

[mattmacf]

...all the spelling errors and bad grammer so prolific in LJ

You realize where you're posting this, right?

Re:Great!

[Ben+Varrey]

Or maybe they could just start with your post! Grammar, friend, and sentences end with periods. Man, I'm a LiveJournaler, too...Ouch.

Re:Ahhhhh security.... in Web 2.0 land

[Bogtha]

As we move more towards applications that depend on the JavaScript enabled client (AJAX and all his relatives) we will see more of this hacking.

I wouldn't say that. Cross-site scripting is usually caused by user-supplied data being inserted into a page improperly. That's a problem with the bit that generates the HTML. Using more Javascript on a page doesn't change that; a page can use no Javascript whatsoever and still be vulnerable to cross-site scripting attacks.

Hackers 1, Dancing JS Jesus: 0

[192939495969798999]

If you want to put tons of dancing Jesus's on your page, and you get hacked, is it really that big a surprise? I'd be tempted to hack someone's blog just to shut off the Dancing Jesus on every post.

But if you get hacked for Peanut Butter Jelly Time, now there's a travesty!

Seen on a hacked page

[dkleinsc]

Current mood: 0wned

I don't know

[rsilvergun]

these guys should watch themselves. Myspace and Livejournal are huge, and probably big business by now. I'd expect a criminal investigation, and at least a few lambs thrown to the wolves (read: jail time).

Re:I don't know

[neocon]

``Lambs'', of course, are innocent and defenseless. I think you mean ``wolves thrown to the farmers''...

Re:I don't know

[rsilvergun]

I guess it depends on how you look at it. Most of these guys are just punk kids playing digital vandal without the slightest clue as to the world of hurt they'll be in if they get caught. Does a kid with a can of spray paint expect to face years in jail and millions of fines? From the perspective of a script kiddie that's all they really are. It's not that they're innocent, I'm just saying they probably don't have a clue of the scale of things here.

Re:I don't know

[neocon]

No, you're right -- my analogy was extremely unfair...

... to the wolf. At least the wolf, when it breaks into the fold, is trying to feed itself and its pack. These punk kids are just breaking things for the joy of hearing them break. It's not like it's 1983 again, either -- these things have been against the law (and the law has been enforced) for the entire lifetime of some college freshman now downloading shellcode which he couldn't write and doesn't really understand.

Throw the book at 'em. :-)

Re:Ahhhhh security.... in Web 2.0 land

[aztracker1]

I don't see how it will necessarily be *more* dangerous than today... simply hit some main points.. strip script tags altogether from user input... or detect/escape them. with link tags, remove them if the href starts with "javascript:" and third, remove on* event attributes from any user inputted tags... issue resolved (for the most part)...

The problem isn't the level of javascript in a site, the problem is checking/validating user input. This is something most developers, especially professional ones, should know.

it was funny

[conJunk]

that was the funniest part of TFA:

So far, the damage has been mostly harmless. The most high-profile case so far came in mid-October when one Myspace.com user released a self-replicating computer worm that took advantage of Javascript flaws to add more than a million fellow users to his buddy list. A similar worm hit the online community Xanga on New Year's eve (there is also some strong language at this link.)

he used his worm to add people to his buddy list! that's really really funny! look how popular i am! i've got millions of friends! no one will laugh at me now!... er... i uh... yes... i wrote a worm to make friends for me....

Re:it was funny

That's amazingly similar to what TripMaster Monkey does. TMM uses a formula (subscribe, google for information about the forthcoming article, post links, reap karma and fans) which could very easily be scripted, just like that worm.

Re:it was funny

[ggvaidya]

samy is my hero! (it's a great story, check out the technical explanation as well ...)

MySpace

[phalse+phace]

[Bantown] group members said they plan to turn their attention to looking for similar flaws at another large social-networking site.

[ says to himself ]
Please let it be MySpace. Please let it be MySpace.

Re:MySpace

Please let it be MySpace.

Way too few caps and italics. You need to say:

P leeeease let it be MYSPACE!!!!!!!!!!!

Re:Ahhhhh security.... in Web 2.0 land

[Qzukk]

Thats the usual way of doing it, but AJAX is commonly used to generate HTML within the javascript, meaning that without proper care, the AJAX code itself can be used to delete the text. Take for instance an annotation system where you highlight text on a website and write your own annotation, which can in turn be annotated. As a "feature", the javascript creates a new div containing the text to be annotated, and a textarea for your annotation. If you add an annotation containing some html tags escaped to appear as etc then someone highlights that and hits "annotate", if the javascript doesn't check to re-escape the < etc, it might spit the script tag out intact, for the browser to process.

Brown shirts

[MikeRT]

And this is different from going out in public and shouting down a conversation or trying to shut down a protest that you disagree with, how? These crackers are brown shirts, not heros.

Re:Brown shirts

You're a brown noser.

Bantown! (sung in the Petula Clark style)

[digitaldc]

When your site is down & Livejournal's making you angry
You can always blame - Bantown!
When you've got blogs, all the noise and the worry
Seems to stop, I know - Bantown!
Just listen to the music of the vulnerable website
Linger on the domain where the CSS is not right
You only lose!

The lags are much longer there
You can see all your troubles, see all your fear
So go Bantown! things'll be worse when you're
Bantown! - no security measures, for sure
Bantown! - everyone's waiting on you!

Re:Bantown! (sung in the Petula Clark style)

[Control+Group]

Wow

Nicely done.

Wish I had modpoints.

Re:Bantown! (sung in the Petula Clark style)

[digitaldc]

Nicely done.

Thanks, Petula Clark and Death Metal have always had a huge influence on me.

Re:Bantown! (sung in the Petula Clark style)

[aliensporebomb]

Thanks. That was great.

I could hear it in my head even.

Re:Bantown! (sung in the Petula Clark style)

[gEvil+(beta)]

Good combination of influences. : p

This is Cross Site Scripting

[mrkitty]

I've written an FAQ on this type of attack which can be found below.
The Cross Site Scripting FAQ

Re:Easy to tame the dogs

[mpontes]

Mod parent up, it's true. A user posted an email he got from bantown saying that on his LJ, too.

Facebook

I'd love to see these guys hack facebook.

MySpace Already Got Hit by XSS Worm

[miller60]

MySpace has already been hit with a cross-site scripting worm.

Long Standing Xanga Vulnerability

[gasjews]

The GNAA Security Center released working exploit code for the Xanga blogging service (which, I might add, predates MySpace by quite a long time, and maybe LJ too).

This exploit works because Xanga lets users insert Javascript codes into their websites. A malcious user just needs to add the code to their "Look and Feel" control panel and then the Javascript code will send the login cookies of anyone who visits their page to a remote server. Xanga has rudimentary JS filtering of "bad" functions but these filters can easily be bypassed by using the document.print method to write out the bad code across several calls (i.e. document.print("");). Xanga knows about the problem but will not fix it.

This code was used to breach security of several Xanga administrators for many months.

frequent problems

[headonfire]

since the six apart acquisition and the moving of the data center from seattle to san francisco, livejournal has actually had perpetual technical issues. User pictures being jumbled, comment notification emails broken(this has been a reoccuring one), problems during peak load hours, community comments, and the like. Every day I look on in greater dismay as admin messages telling me something else is broken or having troubles. I like the service enough to pay for it, so I can keep in touch with old friends I've moved away from. But the 6apart and data center swap were terrible, terrible ideas that are degrading service quality inch by emo little inch.

Oblig. Family Guy...

[everphilski]

(Chris paints some abstract art and gives it to his father for his birthday)

"Its partially an expression of my teenage angst... But mostly it's a moo-cow!"

Professionals

[Trump]

These sites aren't made by professionals. Even if the coders are good, the management isnt.

A few months ago I interviewed with the company the owns myspace. They told me they would expect me to be modifying code on the live servers on the first day.

No time to poke around and see if my changes might break something else.
No staging server.
No debugging.
Direct modifications to the live servers.

That works fine if you are working on the site for a Quake clan, but for a high traffic, "professional" site with millions of users? Obviously not.

Re:Professionals

[charlesnw]

I find that very hard to believe. You are telling me that Fox doesn't use source control? And your telling me that in an interview they tell you that your going to be coding the first day? That is so ridiculous its not even funny. No one is going to be working on the first day. And you would be under the leadership of a senior programmer. Who knows the system. Here is a litmus test: What language is MySpace coded in? Mmmm? Yeah I didn't think you knew that. Stop cluttering slashdot with posts that say you know it all or have an "inside track". You don't.

Re:Professionals

[seann]

cold fusion?

Re:Professionals

[Trump]

Actually, Mr. Knowitall, Fox doesn't own Myspace the company was Intermix Media which was bough by News Corp in July.

I did work on a site for Fox and that, against my recommendations, had no version control either. You might be surprised to learn that Fox farms out most, if not all, of their web work to other companies.

Myspace is written in ColdFusion, but you can tell that just by looking at the site.

allowed characters

[brlewis]

If you want to allow users to put in any HTML except for malicious javascript, it gets a little more tricky than that.

Re:allowed characters

[plover]

That's why you whitelist the HTML tags you support, and then you still sanitize the users' data. Your permitting random HTML allows skript kiddies to take advantage of new exploits as they are revealed.

Even if the page was secure when you wrote it, the latest version of Apache (OK, IIS) might have a hole in the new FOO tag. You'd have to know to revisit your sanitizing routine to plug the newly discovered holes, and you'd need to do it fast before you're hit by the bad guys. A whitelist of nice safe timeworn tags may be less "user friendly" but is certainly more "future-security-proof".

Re:allowed characters

It's not so tricky if you use Perl:

use HTML::TagFilter;
my $tf = new HTML::TagFilter;
my $clean_html = $tf->filter($dirty_html);

See http://search.cpan.org/~wross/HTML-TagFilter-1.03

Re:allowed characters

[wolrahnaes]

I believe this is why most forums now use BBCode or some derivative of it. Using HTML-like tags but with enough difference to be easily distinguished ([ and ] vs. < and >) and then sanitizing the HTML tags in to the proper codes is a good way to do it. You not only totally elminate XSS attacks (as long as you remember to HTML-sanitize BEFORE doing the BBCode parsing), but you also add the ability for people to just simply paste in HTML code and have it display as code, rather than having to remember to convert with >, <, and whatever else.

YUMMY!

C is for cookie.

B is for #bantown.

I'm pretty sure they're not bluffing...

[metalpet]

...about the 16 other XSS attacks.

I've reported an XSS flaw exploitable over IE to LJ over 2 years ago, and the flaw is still exploitable to this day.
(Yes, the email report was read by the right folks over at LJ.)

I'm slightly overdue to send them my yearly reminder, I think. (I should probably set up a cron job for that.)

Re:Easy to tame the dogs

[Peganthyrus]

Jameth has a history of being part of these sorts of things - he was involved in 'ljdrama.com', a website dedicated to pointing people to LJ entries full of 'drama' to point and laugh, and possibly troll, and was also involved in 'frienditto', a spinoff of LJDrama that would make publicly-viewable archives of friends-only posts... if you gave it your username and password to log in as, of course.

Interestingly enough, Hepkitten, who is mentioned in the Encyclopedia Dramatica page cited in the article as being Bantown's site, is also part of the ljdrama/frienditto/etc circles.

I'd take that email with a salt mine or two.

Quickest Way to get it fixed..

Let Slashdot know about it. GNAA/Bantown/ANUS/Buttes has a rather good track record of getting these types of ignored security holes fixed rather quickly.

No one knows

[TwilightXaos]

I presume that Bantown hasn't been nice enough to supply details of their 16 other exploits, perhaps not even of the first ones, to LJ. Perhaps the only ones that know the details of the exploit(s) are the members of Bantown. Has anyone tried contacting this group and asking for details?

Re:Ahhhhh security.... in Web 2.0 land

[merreborn]

My father's been designing multiuser apps since the '80s on quantumlink.

He taught me a simple, valuable lesson that programmers ignore every day, often with harsh consequences.

DON'T TRUST THE CLIENT.

There's never a guarentee that the computer your server is communicating with is running client you wrote, be it in 6502 assembly or Javascript.

user shouldn't have to worry

[brlewis]

It should be that the worst consequence of clicking a mysterious link is seeing something you don't want to see. Preventing XSS requires more work than it probably should when you want to allow a subset of HTML. Putting the onus on the user isn't right even though the alternative requires a lot of work.

economics

Cross Site Scripting is compounded by the fact that many of these sites use plain cookies for authentication.

A while back I decyphered mySpace's cookie encoding so I could log in as any user. I was disgusted. When I managed to chat with mySpace's CIO, and it became clear they had no intention on fixing this.

In their opinion, the economics of better security didn't make sense. Server clustering meant that traditional {fast} sessions wouldn't work, and using a database to store session info was too slow.

I'm not sure if this is still true, but at the time, advertising hit counts mattered, security did not.

Not my meaning at all

[mendaliv]

Sorry, I should've been more clear. I didn't mean to say that the fault falls entirely, or even mostly, on the end user. To say so is just plain naive.

What I am saying is that it would be nice to have users at least exercise *some* care in what links they click on.

So...

[SheeEttin]

So, can we have the code?

Re:Ahhhhh security.... in Web 2.0 land

[Gyorg_Lavode]

It seems to be fairly hard to remove javascript from input where other tags are allowed. By removing things you introduce other things. And web browser parsing becomes even more complex.

Is there an easier way to check for injections on rendering of the data rather than on saving of the data?

Wonder why they haven't notified Californians...

[web_boyo_in_sac]

as a LiveJournal user, and a California resident I'm a little confused, as per state law they are required to inform users of breaches of security like this

And now,

[Council]

Cue the 500 posts about "haha, sucks for those Livejournal-using emo fucks" which help (a) put me off of Slashdot for a few days, and (b) obscure the actual information about how I should secure my account or what vulnerabilities these break-ins made use of.

I'm taking a deep breath and trying not to get in an argument with the "Livejournal is stupid" crap that will get modded funny. Just be aware that it gets on the nerves of those of us who use it, and there will inevitably be posts by people defending LJ, and then ridiculous anti-LJ evangelizing posts (as if anyone commenting on Slashdot doesn't know their way around blogs).

If you're posting anti-LJ jokes, please try to make them funny. And if you see useful information about the exploits, mod it up.

Re:And now,

[ClamIAm]

All I have to say is, as an internet community gets larger, the idiots seem to group together to magnify the dumb to levels greater than the sum of their parts. If you don't do something to discourage them, they'll continue being idiots.

Re:And now,

[Council]

as an internet community gets larger . . . if you don't do something to discourage them, they'll continue being idiots.

Generally, you can't fix other people. Specifically, you definitely can't stop anonymous interent people from being idiots by calling them idiots.

Arguing with strangers trolling online is like getting in a boxing match with a giant wall of flowing molasses -- it feels good to throw the first few punches, but then you realize you're getting all this gunk on your hands, and then you're stuck, and then you're slowly dragged down, and then you become part of the flood, careering into other people . . . it gets messy, and you're not gonna do anything to the molasses.

Argue to practice expressing yourself, argue to share information, argue to correct people on factual or logical errors, and sure, argue if you enjoy it. But don't argue just to try to stop people from being idiots. It's hard to think of anything less effective.

Re:And now,

Cue the 500 posts about "haha, sucks for those Livejournal-using emo fucks" which help (a) put me off of Slashdot for a few days,

Emo.

Re:And now,

[JoshNorton]

Emo.

Philips.

Re:And now,

That was an awesome LJ parody dude, you rock!!!

Re:And now,

[cornface]

All I have to say is, as an internet community gets larger, the idiots seem to group together to magnify the dumb to levels greater than the sum of their parts. If you don't do something to discourage them, they'll continue being idiots.

You obviously missed the usenet train.

Re:And now,

[ClamIAm]

I didn't use usenet back when it was considered "good", but the way I understand it, there were effective countermeasures against idiots back then. This being the fact that the community wasn't growing too fast, allowing effective assimilation/teaching of newbies.

That's not how I roll

[metalpet]

Although LJ is currently holding the record in the "most ignored security bugs I reported" category (clocking at 25 months. previous holder was MS, and that was only 2 months), my usual disclosure policy is to not publicize details of a bug once it has been acknowledged until after it gets fixed.
XSS on LJ seems minor enough not to warrant an exception.

Re:That's not how I roll

[xlv]

my usual disclosure policy is to not publicize details of a bug once it has been acknowledged until after it gets fixed.

You could contact their security team again and tell them you'll post to BugTraq or other security list if they don't give you a timeframe for the fix prior to the deadline. That way you'd still give them a chance to correct the problem but also prevent less ethical people from exploiting the bug.

Re:That's not how I roll

[Daveman692]

Please feel free to send it to me, email address at http://www.livejournal.com/userinfo.bml?user=davem an692. Thanks

Re:Ahhhhh security.... in Web 2.0 land

[TedTschopp]

Is there an easier way to check for injections on rendering of the data rather than on saving of the data?

Actually no, you want to check on input, and when you move between tiers. Something that is valid in the client, might be a problem in the application tier or the data tier. And as someone someplace else stated, never trust input. So your database would validate the information before its stored, your application would check the data (from the client and from the database) when it is passed into that tier. Of course when you pass stuff up into the client tier, you should mistrust that as well.

Re:Ahhhhh security.... in Web 2.0 land

[psocccer]

In general when looking at restricting things I find it's better to determine what is ok instead and only let through those things you know are not harmful. For example, maybe you wrote a website in 1998 that let users post to a guestbook, so you filtered out javascript, frames, etc. Well along comes xhtml+css and now there's new ways to embed javascript, so you have to update the things you strip out. You are now constantly reacting to the changes or extensions of the specification which may result in malicious behaviour in the future.

Instead the easier way would be to do something like only allow img, b, i, and a tags, and for img you only allow src attributes and for a you only allow href attributes. For both those attributes they must start with http:/// or https://./ Now no matter how html changes in the future or new browser extensions are added, they can't be exploited because your policy, by default is going to deny those things since they are new and not allowed.

Being a perl person, I use a module from cpan for this called HTML::TagFilter, which saves a lot of time :p

Re:Wonder why they haven't notified Californians..

[mmkkbb]

My account had a bogus email address after it got compromised, until I changed it (and then it was suspended) They are probably holding off everything until the situation is more under control.

Is this also...

...the same exploit that was used to comprimise a great number of Neopets accounts earlier this week?

Oh, the irony

[sboyko]

Isn't it funny how people post here about the angst-ridden LJ'ers and yet have all day to moan and complain here? Is your angst just directed toward different things?

And yes, I'm aware of the irony of me whining about other users on Slashdot. And yes, I have a LJ account.

That attitude..

is often why bugs get out of control and cause more damage than they often would otherwise if they were disclosed to a large audience instead of being sat on.

Mod up.

[painandgreed]

I'd mod you up if I had points. I'm almost 40 and use LJ for everything from keeping up with family to seeing who wants to go out for sushi after work. It's a place where my old friends can check up to see what I've been doing and check it again later if they forget. It serves some functions much better than email or phone.

Re:Easy to tame the dogs

[PastAustin]

The title of a post on that blog was: zomg Gr0w UP

Here is the text:

This is the most immature thing evar and I am glad to be no part of it. I am so sad when I see internet abused this way.

You terrar faggots should stop flying your pooplanes(?!) into the lj towers before we get mad and invade your butts(?!?!?!?!). like you are an iraq we will be up there in your anustowns. thank you

I'm not going to complain about anyone's typing on /. ever again... My god... Talk about immature.

Re:Ahhhhh security.... in Web 2.0 land

[laffer1]

That's a great idea. Does anyone know of example code to do this in java or .NET? I often find it difficult to wrap my mind around writing good validation code for complex data. (like blog entries) I have a blog site setup, but it has terrible data validation. I'd love to handle html safely.

Re:A serious question

[vertinox]

Or at least I did, until my account was hacked and locked today.

A question for my own reference. By chance, do you use windows? And if you do, do you use Internet Explorer 6?

Re:Hack This Sight

[PastAustin]

I have a sight for them to hack: www.yafro.com

Imagine a photo blog with the mental age of 12, but the environment of a singles bar and the insecurities of all attention whores concentrated in one place. Shouldn't happen, should it? Well it has and it's called Yafro. Please h4x0r this sight friendly hackers. ;P

I think your sight is already hacked because you're too blind to realize that sight and site are two different things. Any just because they're pronounced the same doesn't mean they are the same thing. It's like son and sun.

Saying I wasn't going to complain anymore was a lie. I may start complaining more actually.

Re:Easy to tame the dogs

[AngelofDeath-02]

Yea ... I couldn't read past "evar" ...

Like everything in life: backups

You can backup from LJ direct, or use one of multiple different 3rd party apps to do so. And since you can post with any date, you can restore your journal. Not the comments though, which could sting.

But yes - hopefully it is a wake-up call, and one that will foster a new golden age of universal staged backups. Oh yes.

Re:Like everything in life: backups

Even without thousands of inciteful comments, it's not exactly trivial to restore five years' of entries.

Re:Like everything in life: backups

insightful

Bantown contact info

The Bantown kids are notorious troublemakers. #bantown is juped on several EFnet servers and many networks because of their "Banbot", which invites tens of thousands of users to bantown and then kickbans them. They are pretty funny though, and I have enjoyed some of the time I have spent in their channel (when they aren't scrolling ANSI penis and goatse). You can find them at irc.rizon.net #bantown and they have a tollfree contact number at 888-LOL-WHAT. Yes, that number is real and works.

That's the full disclosure debate thing all over

[metalpet]

Having been on both sides, as a security bug reporter, and as a web company employee having had to figuring out how to handle those exact kind of reports, I try to be reasonable on both sides.
I agree there are situations where public disclosure of an unpatched vulnerability is the right thing to do.
In the LJ case, the underlying problem, in my opinion, is that their HTML parser attempts to filter bad things using a blacklist approach, rather than a whitelist.
If I go public and effectively force them to scramble and fix those particular bugs quickly, I can guarantee the fix will end up being a few more blacklisted patterns. This in turns guarantees the exact same situation will happen over and over again.
So I'm holding out, in hope they will use that time to rewrite proper HTML filters.

Another way to look at it is, if I had gone public with my bugs 2 years ago, they'd have been fixed quickly, and the recent bantown crap would have happened in exactly the same way, causing just as much damage.
Both strategies appear to be equally ineffectual here, with the difference that my approach still gives me some theorical leverage I'm using to try and gently prod the LJ team toward fixing this the right way.

Re:A serious question

[StrawberryFrog]

1) Yes, Windows XP
2) No, Firefox 1.5 thankyouverymuch.

Serves LJ right...

[Khyber]

Using Javascript was just ASKING for someone to bust in and screw with your stuff.

Funnily enough, a couple months ago LJ told me my password was too insecure. I told them they had no right to talk to me about security.

Looks like I was right after all.

Re:Ahhhhh security.... in Web 2.0 land

Wrong. That's a security problem in the CGI script, not in the JavaScript.

When you type something into a webpage and it renders immediately, a copy is sent to the backend CGI script. Only you will see the copy that's rendered immediately, so the only person who you can exploit is yourself. Subsequent users will fetch your input from a CGI script.

Any CGI script that allows user input and redisplays it to other users without escaping HTML and JavaScript appropriately is asking to be exploited. This can happen regardless of whether the input is sent via AJAX or if it's a traditional form submission.

For those curious

[cythrawll]

For those curious what was done with said accounts, they were also used to post a number of comments on the following posts: here here here Look at the comments.

Re:A serious question

[vertinox]

Oh wow. I wonder if they brute forced your account or did they get fire fox to somehow comprimise your account?

LiveJournal is riddled with security holes.

[velocipenguin]

I found a cross-site scripting hole in LiveJournal about two years ago, and wrote a very effective proof-of-concept exploit for it. I never disseminated any information about it, but it sounds like Bantown is exploiting similar vulnerabilities. LiveJournal's security is far too easy to circumvent if you can find a way to sneak JavaScript into a journal page.

Re:LiveJournal is riddled with security holes.

[petermgreen]

yeah its the bane of dynamic sites, browsers treat the hostname barrier as the security barrier and provide no way to mark untrusted content within your site. this means if you do anything at all the involves user submitted content you have to be extremely carefull that users can't use it to pass script to the browser.

Online banking and Javascript

[msbsod]

This is not the first time that Javascript-related vulnerabilities caused trouble for a lot of people and it will not be the last time. Therefore people with common sense would like to simply turn off Javascript in the browser setting so that for example bank account information (cookies etc.) cannot be revealed to malicious web sites. But, without Javascript enabled most bank web sites cannot be accessed. By law everybody who likes to operate a car has to pass a driver's test. Why is not require at least common sense to operate a bank web site?

Re:Online banking and Javascript

[evanh]

Yeah, not only that, all banks should require users to disable javascript before logging in.

Evan

Re:A serious question

[StrawberryFrog]

Apparently it was done due to flaws in Lj's secutiry model, judging by friends acounts, it happened to about 5% of the total LJ population today.

Re:Ahhhhh security.... in Web 2.0 land

[Stalyn]

I think the best solution is to replace html tags with "&lt" and "&gt" in all user input. If you want users to format their output use a markup language you define or something pre-existing like Textile

Re:Hack This Sight

[eno2001]

That's really asstute of you to notice that. Here is my business plan: I have some softwares you might want for free but it'll cost ya. My softwares will help you grow your own busyness at hoam using the simple tool of emails. The more emails you send the more money you can make. The profit margins oare all up to you my friend. Some of my partners have made millions with my softwares. And you can too. Just ask me how.

That'd be bluffing

[metalpet]

and I'm a terrible poker player.
As I've detailled on the child of your older sibling post, I don't intend to post it publicly.
I consider those particular bugs are mere symptoms of a flawed underlying design decision.
My hope is that they adjust their design, not quickly cover their collective behinds.
It's a long shot, I know.

LJ is not the emo site you thinking of

[scwizard]

Being a frequent livejournal user, I can tell you all with confidence that LJ has a very small population of emos. Why the hell would any emo make a livejournal when they could make a deadjournal or a Xanga?

Re:Easy to tame the dogs

fuck mercatur that smelly cunt, cracky-chan is bettar

Re:Mr Moderator Doesn't Like The Truth

I was one of those kids back in the late 1990s. Funny thing is, the only "exploit" anyone managed on my machine was to upload a pirated movie to a publicly accessible write-only SMB share (an isolated folder set up as a drop box), thinking they could use my box as a transfer point (and no doubt getting very upset when they couldn't move it anywhere else).

So not only was the "vulnerability" they exploited a by-design feature present in most Windows boxes, it would have been more exploitable on Windows 95/98. All they managed to do to my system was tie up some bandwidth during the upload and tie up some disk space until I checked the drop box -- and get my port shut down when someone like you freaked out and saw that I was running something with different TCP ports than your typical Windows box.

You must be new to Astroturfing.

[twitter]

What is the point of hacking a livejournal account? I guess you could put up some ads...

The point of hacking people's journals is Astroturfing and Google page rank modification. If you did it right, you could create a false sense of community trust or like of your product and the blog owner would never know. Companies that forge letters from dead people on their behalf, invent "apple switchers" and pay students to talk to strangers about product and pressure their professors are all over that kind of thing. Companies like Microsoft have long focused on pleasing "decision makers" as a means of selling more of their junk. Haven't you noticed the crapflood of M$ apologists here on Slashdot?

Deceptive techniques like this invariably backfire. A crap flood here on Slashdot filled with praise of XP was the last time I took any praise of anything Microsoft seriously. I read comment after comment of +5 informative drivel that mirrored M$ marketing I would hear elsewhere later, "It's based on the NT kernel so it's solid ..." and other better tempered bullshit. Five years later, we see that it was no more stable than any other M$ junk, has a 12 minute half life on any network, and that it did little more than force people to buy new hardware to get the same old things done. There are countless other examples of bogus praise M$ has bought here in one way or another. The net result of this kind of bullshit is for me to not trust anything positive I hear about anything M$.

Re:You must be new to Astroturfing.

I lost you at the point where you started the 'OMFG M$' rant, and I don't remember any 'astroturf campaign' - what, do you figure 'm$' pays five hundred people to post positive crap about Windows? Are you really that far gone? And 'astroturfing' to people on Slashdot no less, because they're the ones most susceptible to actually believing Windows is so great. Is that the logic you're using here? OMG...

Watch Out, CmdrTaco

[Webmoth]

"...group members said they plan to turn their attention to looking for similar flaws at another large social-networking site..."

Is Slashdot next?

Re:Ahhhhh security.... in Web 2.0 land

Perhaps you can use Perl from inside Java or .Net? I don't know, here's the source of that perl module just in case:

http://search.cpan.org/~wross/HTML-TagFilter-1.03/ TagFilter.pm

You got their email addy after being hijacked?

[Khyber]

Why not turn that email address in for monitoring by the authorities? Proxy or not, an ISP can traceroute. Find the IP owner (If static, if not find out which IP address was allocated at the time of access to that email account and trace back from there) and blast his ass in court. Even though it's a blog, (IANAL) I say they infringed on your personal property, and you shoudl have a right to defend yourself against this shit.

Re:You got their email addy after being hijacked?

[StrawberryFrog]

While unlocking my account, I saw a bunch of bantownllj*@mailinator.com adresses had been attached to it. Given that around 5% of the LJ people that I know were affected by this outage, and that some of them even have paid accounts, I think that the LJ admins know very well which email addresses were used for the mass account compromises.

I for one look forward to the perps beeing traced and having the crap kicked out of them ... er, in a metaphorical, legal sense, of course. Yeah.

Re:Wonder why they haven't notified Californians..

You should read the laws that you are trying to apply, they would only be required to notify you if data that could be used to steal your identity had been compromised, and even then, only if it wasn't protected when it was stolen (unencrypted, etc.). So unless you make it a regular habit of posting your social security number in your live journal, then this is not a situation that would apply.

You want it fixed?

[Khyber]

EXPLOIT THAT MOTHERFUCKER! The only way SixApart and LJ will get their asses in gear is when you start costing them money. Just like Microsoft, just like most other software/service vendors that care about money more than the satisfaction of their customers. (And if you don't know what I mean, go google the problems everyone's had with LJ. They're WIDELY-MENTIONED.)

I am a LJ user and LJ hater.

[Khyber]

Let me tell you why. Maybe you'll get some insight into the hatred/love of LJ. I made a community called DIERIAA. The purpose of the community, stated in the info page about the community, was to "Expose people to the music that bands and their labels (indie or not,) release on the web for free promotion." LJ took this as VIOLATING THE LAW, and shut down my community subsequently, before it ever had it's first post. They even told me I was breaking the law (How am I breaking the law if I haven't even posted a link to music that is copywritten and not offered on the internet for public consumption?) That's just my example, and I have HTTPTrack records as proof on a ZIP disk. LJ, while I enjoy it from time to time, can KISS MY FUCKING ASS for the bullshit they've pulled on their supporters.

Re:I am a LJ user and LJ hater.

When naming your community, you misspelled "DIARRHEA."

Well yes, but no.

[metalpet]

Ah yes, me versus a giant money-grubbing corporation. An epic fight, where two men enter, one man leaves. That'd show them.

Seriously though, the only reason I find security bugs in stuff is because I use that stuff in the first place. I use it because I like it, so I don't have any particular ill-will toward them.
I've been around enough coders to know how easy it is to screw up, particularly when you don't really understand all the security implications of what you're doing.

Yes, Six Apart IS incompetent

[Hideyoshi]

They're thoroughly incompetent, and arrogant as hell to boot - do business with these clowns at your peril.

Poor Web coding...

[Merdalors]

I've seen bugs as amateur as off-by-1 bugs in their pagination code.

Hmmm... sounds like Slashdot's duplicated code style (approximately the bottom half of page n posts are repeated at the top of page n + 1.

Delenda est Carthagena

Thank them personally

irc.rizon.net #bantown if you want to tell them exactly how thrilled you are with their behavior.

Here's the livejournals of a few people known to hang out in #bantown:

• Hep
• Sherrod
• aempiri
• aml
• oclet
• zb

I can't confirm either way that they're personally involved in all of this mess or not, but at the very least, why don't you click on through and let them know what you think about the people they hang out with. You can tell a lot about a person by the company they keep, no?

It'd be a real shame if someone exploited their Lj accounts in the same way they've been exploiting others'. A real fucking shame. It'd be even more of a shame if something happened to their irc net. I bet we'd all feel real bad for them.