Slashdot Mirror

← Back to Stories (view on slashdot.org)

Details of the LiveJournal Account Hacks

Posted by Zonk on from the my-rss-reader-is-unhappy dept.

An anonymous reader writes "Brian Krebs of the Washington Post has written about the recent spate of hijackings at Six Apart's popular LiveJournal service. Hundreds of journals have now been taken over by a notorious group called 'Bantown' using a series of complicated cross-site-scripting vulnerabilities. Krebs details the recent security changes made by LiveJournal in response to the takeovers." From the article: "It is unclear whether LiveJournal has managed to close the security holes that the hackers claim to have used. The company says it has, but the hackers insist there are still at least 16 other similar JavaScript flaws on the LiveJournal site that could be used conduct the same attack. [Bantown] group members said they plan to turn their attention to looking for similar flaws at another large social-networking site. "

12 of 246 comments (clear)

  1. Re:Wake up call by Lehk228 · · Score: 3, Interesting

    myspace already got owned by a javascript worm that worked it's way into millions of profiles.

    now instead of fixing the site it asks you for your password 50 f*cking times a day.

    --
    Snowden and Manning are heroes.
  2. Smells like freedom downtime by Anonymous Coward · · Score: 1, Interesting

    Big numbers make for good stories, you have to wonder if Bantown has actually comprised as many accounts as the reporter says they have. Looking at the latest Live journal news post, they don't seem to claim that they've closed all the holes, just that they've taken steps to make their service more secure.

    How come there are no details on the exploit?

  3. Ahhhhh security.... in Web 2.0 land by TedTschopp · · Score: 4, Interesting

    As we move more towards applications that depend on the JavaScript enabled client (AJAX and all his relatives) we will see more of this hacking.

    On the bright side, it will eventually get people to code securely in a non-trusted enviroment becuase the source code is not only available, but changeable.

    Sadly, there will be a bunch of rough lessons between that wonderful future and what we have right now, espeically with all the focus on WEB 2.0 and Ajax.

    --
    Fantasy remains a human right; we make in our measure and in our derivative mode... -- JRR Tolkien
  4. Re:Ahhhhh security.... in Web 2.0 land by aztracker1 · · Score: 3, Interesting

    I don't see how it will necessarily be *more* dangerous than today... simply hit some main points.. strip script tags altogether from user input... or detect/escape them. with link tags, remove them if the href starts with "javascript:" and third, remove on* event attributes from any user inputted tags... issue resolved (for the most part)...

    The problem isn't the level of javascript in a site, the problem is checking/validating user input. This is something most developers, especially professional ones, should know.

    --
    Michael J. Ryan - tracker1.info
  5. Re:I don't know by neocon · · Score: 2, Interesting

    ``Lambs'', of course, are innocent and defenseless. I think you mean ``wolves thrown to the farmers''...

  6. Re:Blog by EternityInterface · · Score: 1, Interesting

    Any intelligent fool can make things
    bigger / more complex / and more violent
    It takes a touch of genius
    and a lot of courage
    to move in the opposite direction
    (Einstein)

    I'd like an explanation of why Flash isn't allowed beyond "shit coding". BTW, You cannot use JavaScript [...] These scripts pose a security risk [..] and are automatically stripped [...] (Last Updated: October 30th, 2005)

    --
    the sun is god
  7. frequent problems by headonfire · · Score: 2, Interesting

    since the six apart acquisition and the moving of the data center from seattle to san francisco, livejournal has actually had perpetual technical issues. User pictures being jumbled, comment notification emails broken(this has been a reoccuring one), problems during peak load hours, community comments, and the like. Every day I look on in greater dismay as admin messages telling me something else is broken or having troubles. I like the service enough to pay for it, so I can keep in touch with old friends I've moved away from. But the 6apart and data center swap were terrible, terrible ideas that are degrading service quality inch by emo little inch.

  8. I'm pretty sure they're not bluffing... by metalpet · · Score: 2, Interesting

    ...about the 16 other XSS attacks.

    I've reported an XSS flaw exploitable over IE to LJ over 2 years ago, and the flaw is still exploitable to this day.
    (Yes, the email report was read by the right folks over at LJ.)

    I'm slightly overdue to send them my yearly reminder, I think. (I should probably set up a cron job for that.)

  9. economics by Anonymous Coward · · Score: 1, Interesting

    Cross Site Scripting is compounded by the fact that many of these sites use plain cookies for authentication.

    A while back I decyphered mySpace's cookie encoding so I could log in as any user. I was disgusted. When I managed to chat with mySpace's CIO, and it became clear they had no intention on fixing this.

    In their opinion, the economics of better security didn't make sense. Server clustering meant that traditional {fast} sessions wouldn't work, and using a database to store session info was too slow.

    I'm not sure if this is still true, but at the time, advertising hit counts mattered, security did not.

  10. Re:Is Six Apart able to deal with this properly? by Max+Threshold · · Score: 3, Interesting
    The LiveJournal development and support staff have always been incompetent. In the past, they've compensated paid users with extensions on their subscriptions because of extended service problems they didn't seem to know how to fix. Most recently, they moved their servers from Seattle to L.A., and for the next month, nobody was receiving their comment notifications. They claimed to have fixed it, then realized they hadn't, then sort of brushed it under the rug. I'm still missing all my comment notifications from the month following November 22, 2005. (And there's no other way to follow threads in communities.)

    In many ways, LiveJournal is becoming one of those sites that people only use because it's well-established. If it were new, the glaring problems with the software that runs it would leave it DOA... much like Photo.net and Slashdot.

  11. Bantown contact info by Anonymous Coward · · Score: 2, Interesting

    The Bantown kids are notorious troublemakers. #bantown is juped on several EFnet servers and many networks because of their "Banbot", which invites tens of thousands of users to bantown and then kickbans them. They are pretty funny though, and I have enjoyed some of the time I have spent in their channel (when they aren't scrolling ANSI penis and goatse). You can find them at irc.rizon.net #bantown and they have a tollfree contact number at 888-LOL-WHAT. Yes, that number is real and works.

  12. For those curious by cythrawll · · Score: 2, Interesting

    For those curious what was done with said accounts, they were also used to post a number of comments on the following posts: here here here Look at the comments.