Slashdot Mirror

← Back to Stories (view on slashdot.org)

Details of the LiveJournal Account Hacks

Posted by Zonk on from the my-rss-reader-is-unhappy dept.

An anonymous reader writes "Brian Krebs of the Washington Post has written about the recent spate of hijackings at Six Apart's popular LiveJournal service. Hundreds of journals have now been taken over by a notorious group called 'Bantown' using a series of complicated cross-site-scripting vulnerabilities. Krebs details the recent security changes made by LiveJournal in response to the takeovers." From the article: "It is unclear whether LiveJournal has managed to close the security holes that the hackers claim to have used. The company says it has, but the hackers insist there are still at least 16 other similar JavaScript flaws on the LiveJournal site that could be used conduct the same attack. [Bantown] group members said they plan to turn their attention to looking for similar flaws at another large social-networking site. "

4 of 246 comments (clear)

  1. Re:Wake up call by Lehk228 · · Score: 3, Interesting

    myspace already got owned by a javascript worm that worked it's way into millions of profiles.

    now instead of fixing the site it asks you for your password 50 f*cking times a day.

    --
    Snowden and Manning are heroes.
  2. Ahhhhh security.... in Web 2.0 land by TedTschopp · · Score: 4, Interesting

    As we move more towards applications that depend on the JavaScript enabled client (AJAX and all his relatives) we will see more of this hacking.

    On the bright side, it will eventually get people to code securely in a non-trusted enviroment becuase the source code is not only available, but changeable.

    Sadly, there will be a bunch of rough lessons between that wonderful future and what we have right now, espeically with all the focus on WEB 2.0 and Ajax.

    --
    Fantasy remains a human right; we make in our measure and in our derivative mode... -- JRR Tolkien
  3. Re:Ahhhhh security.... in Web 2.0 land by aztracker1 · · Score: 3, Interesting

    I don't see how it will necessarily be *more* dangerous than today... simply hit some main points.. strip script tags altogether from user input... or detect/escape them. with link tags, remove them if the href starts with "javascript:" and third, remove on* event attributes from any user inputted tags... issue resolved (for the most part)...

    The problem isn't the level of javascript in a site, the problem is checking/validating user input. This is something most developers, especially professional ones, should know.

    --
    Michael J. Ryan - tracker1.info
  4. Re:Is Six Apart able to deal with this properly? by Max+Threshold · · Score: 3, Interesting
    The LiveJournal development and support staff have always been incompetent. In the past, they've compensated paid users with extensions on their subscriptions because of extended service problems they didn't seem to know how to fix. Most recently, they moved their servers from Seattle to L.A., and for the next month, nobody was receiving their comment notifications. They claimed to have fixed it, then realized they hadn't, then sort of brushed it under the rug. I'm still missing all my comment notifications from the month following November 22, 2005. (And there's no other way to follow threads in communities.)

    In many ways, LiveJournal is becoming one of those sites that people only use because it's well-established. If it were new, the glaring problems with the software that runs it would leave it DOA... much like Photo.net and Slashdot.