Slashdot Mirror

← Back to Stories (view on slashdot.org)

Details of the LiveJournal Account Hacks

Posted by Zonk on from the my-rss-reader-is-unhappy dept.

An anonymous reader writes "Brian Krebs of the Washington Post has written about the recent spate of hijackings at Six Apart's popular LiveJournal service. Hundreds of journals have now been taken over by a notorious group called 'Bantown' using a series of complicated cross-site-scripting vulnerabilities. Krebs details the recent security changes made by LiveJournal in response to the takeovers." From the article: "It is unclear whether LiveJournal has managed to close the security holes that the hackers claim to have used. The company says it has, but the hackers insist there are still at least 16 other similar JavaScript flaws on the LiveJournal site that could be used conduct the same attack. [Bantown] group members said they plan to turn their attention to looking for similar flaws at another large social-networking site. "

17 of 246 comments (clear)

  1. Blog by Ribbo.com · · Score: 5, Funny

    Maybe they should write about how they did it in their blog, I mean someone elses blog.....

  2. Poor Emos! by Ardeocalidus · · Score: 4, Funny

    Nooo! Poor Emos! I can just see them shivering in a cold, dank corner, cutting themselves because their journal was hi-jacked. What is becoming of this world?!

    1. Re:Poor Emos! by hkgroove · · Score: 5, Funny

      I can just see them shivering in a cold, dank corner, cutting themselves because their journal was hi-jacked.

      No, they wouldn't. Because there's no longer a reason to cut themselves! No one can read or comment about it.

    2. Re:Poor Emos! by ZeroExistenZ · · Score: 5, Funny

      <Pax> I wish my lawn was emo, so it would cut itself.

      --
      I think we can keep recursing like this until someone returns 1
  3. Wake up call by Anonymous Coward · · Score: 4, Insightful

    This is a wake up call to people who use these services... sites like MySpace, LiveJournal, all have fancy features that do things that "users want", but at the expense of security because users don't think of/realize/care about security unless it actually results in a successful hack against them. Those who have hacked LJs might want to consider running their blog using plain text instead of all that wacky Javascript (not exactly necessary for something as basic as text on a web page). Ya get what you pay for... I'd be pretty choked if I was a LJ user who paid for a membership and had my pages all highjacked beyond repair, though...

  4. Oh dear! by Junky191 · · Score: 5, Funny

    How on Earth are all those white kids in the suburbs going to express their teen angst now?

    1. Re:Oh dear! by StrawberryFrog · · Score: 4, Informative

      How on Earth are all those white kids in the suburbs going to express their teen angst now?

      How on Earth are all those white kids in the suburbs going to express their teen angst now?

      I wouldn't know mate. I'm in my 30s, and I use LJ to keep in touch with family and friends around the world (UK, Australia, US and South Africa mostly).

      Or at least I did, until my account was hacked and locked today. A good number of other accounts are in the same boat. I just hope that the LJ admins sort it out soon. My account email address was changed to bantownlj292@mailinator.com . I just hope my posts are OK. I can't even tell at present.

      --

      My Karma: ran over your Dogma
      StrawberryFrog

  5. Re:Livejournal hacks? by gEvil+(beta) · · Score: 5, Funny

    I've seen your pictures and can definitively say that the hackers were doing the world a service.

    --
    This guy's the limit!
  6. Is Six Apart able to deal with this properly? by mpontes · · Score: 5, Insightful
    I've been following this lately, and Six Apart's behaviour on this situation seems quite lacking. If what the article says is true and bantown have been just stealing cookies, the only measure they took, a recent change in LJ's subdomain policy seems quite pointless, since cookies are binded to .livejournal.com, anyway.

    They also don't tell us which browser is affected on the newspost. How can we be safe if we are not informed? Can Six Apart actually deal with this in a professional way? I've been noticing LiveJournal is really slow and it hangs a lot lately. It seems that they know nothing about security and are just randomly mashing buttons in a attempt to hit the nail in the head.

    Is Six Apart that incompetent that they can't prevent such attacks after they have been going for days, or is this bantown group really that good?

    --
    Bored? Browse Slashdot with a +6 modifier for Troll comme
  7. Ahhhhh security.... in Web 2.0 land by TedTschopp · · Score: 4, Interesting

    As we move more towards applications that depend on the JavaScript enabled client (AJAX and all his relatives) we will see more of this hacking.

    On the bright side, it will eventually get people to code securely in a non-trusted enviroment becuase the source code is not only available, but changeable.

    Sadly, there will be a bunch of rough lessons between that wonderful future and what we have right now, espeically with all the focus on WEB 2.0 and Ajax.

    --
    Fantasy remains a human right; we make in our measure and in our derivative mode... -- JRR Tolkien
  8. Even more appalling... by Orrin+Bloquy · · Score: 5, Funny

    ...they hacked into my LJ and corrected all the meter in my "I am sad/I want to die" goth poetry!

    --
    "Made up/misattributed quote that makes me look smart. I am on /. and I must look smart."
  9. Details are scarce. by Peganthyrus · · Score: 4, Insightful

    It would've been nice if LJ's news post on starting to fix this vulnerability had said which "popular browser" was affected.

    Also, I somehow find myself suspecting that the anonymous person calling this 'Bantown' group 'notorious' is probably a member of it.

    Details are scarce; all I could find in the LJ_Dev community relating to this wasone post about the effects of the first phase of the fix. Especially check Brad's comments.

    --
    egypt urnash minimal art.
  10. Seen on a hacked page by dkleinsc · · Score: 5, Funny

    Current mood: 0wned

    --
    I am officially gone from /. Long live http://www.soylentnews.com/
  11. it was funny by conJunk · · Score: 4, Funny
    that was the funniest part of TFA:

    So far, the damage has been mostly harmless. The most high-profile case so far came in mid-October when one Myspace.com user released a self-replicating computer worm that took advantage of Javascript flaws to add more than a million fellow users to his buddy list. A similar worm hit the online community Xanga on New Year's eve (there is also some strong language at this link.)

    he used his worm to add people to his buddy list! that's really really funny! look how popular i am! i've got millions of friends! no one will laugh at me now!... er... i uh... yes... i wrote a worm to make friends for me....

  12. Bantown! (sung in the Petula Clark style) by digitaldc · · Score: 5, Funny

    When your site is down & Livejournal's making you angry
    You can always blame - Bantown!
    When you've got blogs, all the noise and the worry
    Seems to stop, I know - Bantown!
    Just listen to the music of the vulnerable website
    Linger on the domain where the CSS is not right
    You only lose!

    The lags are much longer there
    You can see all your troubles, see all your fear
    So go Bantown! things'll be worse when you're
    Bantown! - no security measures, for sure
    Bantown! - everyone's waiting on you!

    --
    He who knows best knows how little he knows. - Thomas Jefferson
  13. This is Cross Site Scripting by mrkitty · · Score: 5, Informative

    I've written an FAQ on this type of attack which can be found below.
    The Cross Site Scripting FAQ

    --
    Believe me, if I started murdering people, there would be none of you left.
  14. And now, by Council · · Score: 4, Insightful

    Cue the 500 posts about "haha, sucks for those Livejournal-using emo fucks" which help (a) put me off of Slashdot for a few days, and (b) obscure the actual information about how I should secure my account or what vulnerabilities these break-ins made use of.

    I'm taking a deep breath and trying not to get in an argument with the "Livejournal is stupid" crap that will get modded funny. Just be aware that it gets on the nerves of those of us who use it, and there will inevitably be posts by people defending LJ, and then ridiculous anti-LJ evangelizing posts (as if anyone commenting on Slashdot doesn't know their way around blogs).

    If you're posting anti-LJ jokes, please try to make them funny. And if you see useful information about the exploits, mod it up.

    --
    xkcd.com - a webcomic of mathematics, love, and language.