Details of the LiveJournal Account Hacks

An anonymous reader writes "Brian Krebs of the Washington Post has written about the recent spate of hijackings at Six Apart's popular LiveJournal service. Hundreds of journals have now been taken over by a notorious group called 'Bantown' using a series of complicated cross-site-scripting vulnerabilities. Krebs details the recent security changes made by LiveJournal in response to the takeovers." From the article: "It is unclear whether LiveJournal has managed to close the security holes that the hackers claim to have used. The company says it has, but the hackers insist there are still at least 16 other similar JavaScript flaws on the LiveJournal site that could be used conduct the same attack. [Bantown] group members said they plan to turn their attention to looking for similar flaws at another large social-networking site. "

Legal Implications

[eldavojohn]

In LiveJournal's TOS, they state:

JOURNAL CONTENT

Guidelines for posting to your online journal shall be as follows:

1. All Content posted to LiveJournal.com in any way, is the responsibility and property of the author. LiveJournal is committed to keeping the Service in decent standing for all audiences but is not responsible for the monitoring or filtering of any journal Content. Within the confines of international and local law, LiveJournal.com will generally not place a limit on the type, or appropriateness of user content within journals. Those users posting material not suitable for all audiences must agree that they are fully responsible for all the content they have posted anywhere on the service. Should content be deemed illegal by such law having jurisdiction over the user, LiveJournal.com is committed to submitting all necessary information to the proper authorities; ....

So it sounds like they might be in trouble with people losing property, however also in the TOS:

MODIFICATIONS TO SERVICE

LiveJournal.com reserves the right to modify or discontinue, temporarily or permanently, the Service (or any part thereof) with or without notice at any time. You agree that LiveJournal.com shall not be liable to you or to any third party for any modification, suspension or discontinuance of the Service.

And there are other parts that make it sound like LiveJournal would never be in trouble for this unauthorized access parts. But really, who would bother to post their thoughts and words on a site that has no garauntee of saving them? At any minute, LiveJournal could format its servers and databases and start over with no one able to say anything.

This is Cross Site Scripting

[mrkitty]

I've written an FAQ on this type of attack which can be found below.
The Cross Site Scripting FAQ

Re:Great!

[mattmacf]

...all the spelling errors and bad grammer so prolific in LJ

You realize where you're posting this, right?

Long Standing Xanga Vulnerability

[gasjews]

The GNAA Security Center released working exploit code for the Xanga blogging service (which, I might add, predates MySpace by quite a long time, and maybe LJ too).

This exploit works because Xanga lets users insert Javascript codes into their websites. A malcious user just needs to add the code to their "Look and Feel" control panel and then the Javascript code will send the login cookies of anyone who visits their page to a remote server. Xanga has rudimentary JS filtering of "bad" functions but these filters can easily be bypassed by using the document.print method to write out the bad code across several calls (i.e. document.print("");). Xanga knows about the problem but will not fix it.

This code was used to breach security of several Xanga administrators for many months.

Re:Oh dear!

[StrawberryFrog]

How on Earth are all those white kids in the suburbs going to express their teen angst now?

How on Earth are all those white kids in the suburbs going to express their teen angst now?

I wouldn't know mate. I'm in my 30s, and I use LJ to keep in touch with family and friends around the world (UK, Australia, US and South Africa mostly).

Or at least I did, until my account was hacked and locked today. A good number of other accounts are in the same boat. I just hope that the LJ admins sort it out soon. My account email address was changed to bantownlj292@mailinator.com . I just hope my posts are OK. I can't even tell at present.

Re:Wake up call

[Neoprofin]

1) The problem was actually in IE's ability to fix and execute broken CSS code which allowed him to input a broken call to a script to get it past the filters and then have IE fix and execute it. THe author himself took down his profile to stop the spread and after a few hours of downtime the problem was fixed, in fact there's a /. article about it. 2) You have to enter your password every time you log out, which is every time you close your browser. Never close the browser never log out. Simple.

Mod up.

[painandgreed]

I'd mod you up if I had points. I'm almost 40 and use LJ for everything from keeping up with family to seeing who wants to go out for sushi after work. It's a place where my old friends can check up to see what I've been doing and check it again later if they forget. It serves some functions much better than email or phone.

Re:Hack This Sight

[PastAustin]

I have a sight for them to hack: www.yafro.com

Imagine a photo blog with the mental age of 12, but the environment of a singles bar and the insecurities of all attention whores concentrated in one place. Shouldn't happen, should it? Well it has and it's called Yafro. Please h4x0r this sight friendly hackers. ;P

I think your sight is already hacked because you're too blind to realize that sight and site are two different things. Any just because they're pronounced the same doesn't mean they are the same thing. It's like son and sun.

Saying I wasn't going to complain anymore was a lie. I may start complaining more actually.