Slashdot Mirror

← Back to Stories (view on slashdot.org)

LiveJournal XSS Security Challenge

Posted by CmdrTaco on from the now-thats-a-game-worth-playing dept.

Jamesday writes "LiveJournal is offering a free permanent account and possibly other prizes to those who find new vulnerabilities in its XSS Security Challenge. LiveJournal has recently been attacked via a Firefox XSS exploit."

66 comments

  1. Well.. by AWhiteFlame · · Score: 1

    Poor guys at livejournal.. You're going to slashdot their VM test box.

    --
    "Everything worth innovating today will go to court tomorrow."
    1. Re:Well.. by Crazyscottie · · Score: 1

      Hey, how did you know what software we were running?

      -SixApart CEO

      --
      Just because it can't be explained doesn't mean it isn't true. Science fits into reality... not the other way around.
    2. Re:Well.. by PastAustin · · Score: 1
      Poor guys at livejournal.. You're going to slashdot their VM test box.



      Poor guys at livejournal.. We did slashdot their VM test box.
      That's what they get for giving it too little memory. Hey! At least the icon comes through!
      --
      Firefox 2.0 - Spell Rightly.
  2. I have no time for this by Steev · · Score: 5, Funny

    Maybe if the prize was something useful, I might be interested. I have my hands full exploiting MySpace.

    1. Re:I have no time for this by Muramasa · · Score: 0

      If I ever had mod points, I'd mod you up. That was probably the funniest thing I've ever read on Slashdot.

    2. Re:I have no time for this by PastAustin · · Score: 1
      Maybe if the prize was something useful, I might be interested. I have my hands full exploiting MySpace.



      I was until Tom took down LOGIN for fucking repairs.
      The fucking login!!! And there are MILLIONS OF PEOPLE who use that site.
      Since things that suck are coming into fashion I'm wondering when Windows ME is going to make it's big comeback...
      --
      Firefox 2.0 - Spell Rightly.
    3. Re:I have no time for this by DeafByBeheading · · Score: 1

      Right. I can't imagine anyone who is both (1) qualified and (2) interested in the reward.

      --
      Telltale Games: Bone, Sam and Max
  3. Y'know... by Grendel+Drago · · Score: 4, Interesting

    ... this wouldn't even be necessary if they'd taken security seriously in the first place, instead of tacking it on as an afterthought, or using the "eh, we can probably trust all this user-submitted content" model.

    But still, good to see them taking it seriously. Now, instead of Bantown getting an eternal newspost declaring their victory, they'll just get permanent accounts.

    --
    Laws do not persuade just because they threaten. --Seneca
    1. Re:Y'know... by Billosaur · · Score: 0, Flamebait
      ... this wouldn't even be necessary if they'd taken security seriously in the first place, instead of tacking it on as an afterthought, or using the "eh, we can probably trust all this user-submitted content" model.

      Oh, but we can trust users, can't we? And what's with a little harmless hacking? Good for the spirit, good for the soul!

      Making software bulletproof is probably impossible. If one coder can think something up, another can devise a way to break it or exploit it. LiveJournal is going to run their little contest, someone will come along and solve their current problem, and all the while Bantown will be finding a new exploit. Perhaps they should go back to first principles and design the site correctly.

      --
      GetOuttaMySpace - The Anti-Social Network
    2. Re:Y'know... by laffer1 · · Score: 3, Insightful

      What I find interesting about your comment is that you admit its probably impossible to make bulletproof software, yet you think they should rewrite it "correctly". I see comments like this all the time on slashdot and on security minded lists like bugtraq, webappsec, etc. I've yet to see anyone come up with a list or example site that is "written correctly." In the rare case someone does offer an example, its usually as bad as something I'd see in a CS class. There is like one or two input fields that have very well defined input. Anyone could write secure code for that. On the Internet, its not that easy. People want to post HTML comments, invalid HTML, 10 year old HTML, javascript they generated on some site to make a button or sig come alive. Blogging sites have two target audiences, 18-30 year olds and younger people. Most younger people would prefer to use an IM client than anything else, and occasionally older people do keep blogs. Live Journal has a better range than most sites. Most people in these target groups want to post HTML comments or at least rich formatted posts.

      I don't think people realize how complex a blogging site can be. Attempting to secure a blogging site is a real task. Live journal actually has a revenue stream and paid programmers so there is less excuse for them not to try, but succeeding is another matter. In reality, if they cut of rich content posting then their users will move on to another service or simply find a OSS product they can run themselves. Then we'll have automated attacks on those scripts. I've written a blogging site in java, and its not even close to secure. I'm in the process of rewriting the whole thing in a language I'm more familiar with. Its not an easy task.

      --
      MidnightBSD: The BSD for Everyone
    3. Re:Y'know... by shift.red.avni · · Score: 2, Informative

      They always have taken it seriously. In fact IE LJ users have been nearly invulnerable from simple (stuff that doesn't exploit IE cross-domain vulnerabilities) XSS attacks for years, because of LJ's use of HTTPONLY cookies.

      Firefox dev's have in the past explicitly ruled out supporting HTTPONLY pretty much just because Microsoft invented it. The result is Firefox users are much more vulnerable to XSS attacks that IE users.

    4. Re:Y'know... by timbrown · · Score: 1

      Cookies.... screw cookies, XSS is about so much more. As an example how about clipboard stealing, unfixed by Microsoft since 2002. :)

      --
      Tim Brown
    5. Re:Y'know... by Billosaur · · Score: 1
      I don't think people realize how complex a blogging site can be. Attempting to secure a blogging site is a real task. Live journal actually has a revenue stream and paid programmers so there is less excuse for them not to try, but succeeding is another matter.

      There is a vast difference between making a site "bulletproof" and making it work "correctly." Make no mistake, any software undertaking is not easy, but when a piece of software has to interact with the outside environment, the correct procedure is to treat data like stinky fish until you can verify its integrity. I write Perl apps and the taint mode (-T) switch is my friend. It forces me to ask "what is this data and how do I know it's valid?" If I can't answer that question, I shouldn't be using it. Now, to parse blog material is tedious, because content can take on so many different internal formats, but if you stick to only allowing content a certain way and then parse consistantly, you can avoid a lot of headaches.

      Hackers only get away with exploits in most cases because either a) it hasn't been patched and remains open to exploit or b) they are not ensuring that the data people are sending them is valid.

      --
      GetOuttaMySpace - The Anti-Social Network
    6. Re:Y'know... by outZider · · Score: 1

      Funny thing about homegrown projects is that things always get tacked on. My boss says that he "has already thought of everything." I've found that to never be true. You may be perfect in every way, but the rest of the world is not.

      Stuff happens.

      --
      - oZ
      // i am here.
    7. Re:Y'know... by njyoder · · Score: 2, Informative

      That won't happen. About a week ago LJ change its cookie scheme. This scheme places a cookie on www.livejournal.com which is what is required to post anything and to change account settings. All journals are under some other hostname, so it is impossible to use XSS to get that www.livejournal.com (ljmastersession) cookie unless a bug in a browser breaks its own security model (that's beyond the scope of anything a a website can do though). The also use HTTPOnly cookies for MSIE, which means that none of the cookies can be stolen for IE either (it's funny that Firefox refuses to implement this great idea just out of petty Microsoft hatred).

      These new filters they're testing right now will include whitelisting of CSS. Whitelisting, of course, is a very powerful mechanism to mitigate XSS as well. This is in addition to potentially hosting all CSS on their servers.

      Not just that, but they have implemented other features recently. One allows you to view recent logins. Another ties cookies to your subnet (in addition to the optional login option which lets you bind it to a specific ip). You can no longer change your e-mail address on your account without your password.

      So LJ has now put quite a few mechanisms in place make things more secure. So please, before ignorantly suggesting that they go back and "design it correctly," maybe you should actually READ about all the new security features implemented, including the new ones that they're testing now. But hey, I don't expect a Slashdotter to actually read and research so they know what the fuck they're talking about. After all, if LJ has a contest, it's NOT AT ALL POSSIBLE that they're testing new features that you can easily read about.

  4. well, obviously by negaluke · · Score: 0

    one major vulnerability is it's location; based in the corporeal world, all an enterprising ne'er-do-well would have to do is instigate fire, flood, hurricane, volcano, meteor or godzilla-related damage. i'll take my free permanent account whenever you're ready.

  5. Other possible prizes: by RandoX · · Score: 1, Interesting

    Matching steel bracelets? Just because LJ encourages it doesn't make it legal. At the very least, it's probably a violation of the TOS of your ISP.

    1. Re:Other possible prizes: by Rob+T+Firefly · · Score: 1

      I LJ is giving you permission to throw what you can at them, doing so can hardly be seen as wrong in the eyes of your ISP or the law.

      --
      Slashdot Burying Stories About Slashdot Media Owned
    2. Re:Other possible prizes: by RandoX · · Score: 0

      So if I were to say, "I'm tired of my life. Please use this gun and shoot me in the head." and you did, do you think you aren't going for a ride in the back of the police car? Perhaps an extreme analogy, but I highly doubt that your ISP's TOS or applicable laws have a clause for "unless they asked for it".

    3. Re:Other possible prizes: by Rob+T+Firefly · · Score: 5, Insightful

      Shooting you in the head is illegal no matter what, but hacking away at a computer is only illegal if you don't have permission to do so. Otherwise, everyone who ever mplemented and tested their own security, everyone who took potshots at their own firewall, and every professional computer security tech who ever did his or her job at all, would be a criminal.

      --
      Slashdot Burying Stories About Slashdot Media Owned
    4. Re:Other possible prizes: by GCsoftware · · Score: 3, Interesting

      Yes, that's why I'm serving 25 to life for being a security consultant and there is no such thing as a penetration testing industry. Why post if you have no idea?

    5. Re:Other possible prizes: by gavri · · Score: 0, Informative

      You are not supposed to hack away on http://www.livejournal.com/

      They provide a sandbox: http://www.test.dev.livejournal.org/

    6. Re:Other possible prizes: by RandoX · · Score: 1

      From the Time Warner Acceptable Use policy:

      The ISP Service may not be used to breach or attempt to breach the security, the computer, the software or the data of any person or entity, including Operator, to circumvent the user authentication features or security of any host, network or account, to use or distribute tools designed to compromise security, or to interfere with another?s use of the ISP Service through the posting or transmitting of a virus or other harmful item to deliberately overload or flood that entity's system.

      You'll notice, like I said, that there is no provision for "unless he asked for it".

    7. Re:Other possible prizes: by Anonymous Coward · · Score: 1, Informative

      violating the TOS for this purpose isnt criminal, as no laws are being broken.

    8. Re:Other possible prizes: by makomk · · Score: 1

      It was a very good sandbox too, until hordes of Slashdotters came along and carried out all the sand on their shoes :-(

    9. Re:Other possible prizes: by Minwee · · Score: 1
      "Why post if you have no idea?"

      I see that this is your first time on Slashdot. Don't worry, it takes some time to get used to how we do things here but eventually it will all make sense.

  6. Why only XSS? by Tethys_was_taken · · Score: 2, Insightful

    I haven't R'd TFA completely, but why only XSS? Why not put the bounty up on ANY vulnerability? Is there something special about XSS bugs that makes them more important than other vulnerabilities?

    Besides, I think putting up a bounty makes it more "legal" and will bring out more of the more-experienced White Hats into the game and make LJ that much safer...

    --
    StrayByte.Net
  7. possible other prizes by digitaldc · · Score: 4, Funny

    LiveJournal is offering a free permanent account and possibly other prizes

    Rumours are the other prizes include books on forming lasting interpersonal relationships, 7-day trips to Club Med, and the book 'Romance for Dummies.'

    --
    He who knows best knows how little he knows. - Thomas Jefferson
    1. Re:possible other prizes by Provocateur · · Score: 2, Funny

      The fine print:

      7-day trips to Club Med

      Actually, 7-day trips for two to Club Med, but in the event that you're going alone, doing the Han Solo thing, that'll be a 14-day trip for one. With a fully loaded mini-bar in your room if you ever get tired of 'shaking hands with the wookie'.
       

      --
      WARNING: Smartphones have side effects--most of them undocumented.
    2. Re:possible other prizes by poot_rootbeer · · Score: 2, Funny

      Rumours are the other prizes include books on forming lasting interpersonal relationships, 7-day trips to Club Med, and the book 'Romance for Dummies.'

      Y'know, those that live in Slash houses shouldn't cast stones...

  8. OOOh! A shiny thing! by Gothmolly · · Score: 4, Funny

    A free LiveJournal account? Boy, my friends on MySpace will be so jealous!

    --
    I want to delete my account but Slashdot doesn't allow it.
  9. hacker demographic? by revery · · Score: 4, Funny

    Teenage, earth-loving, wiccan hackers unite!

    the above comment is an unfair stereotype and should be viewed with extreme suspicion

  10. Excellent idea by tdvaughan · · Score: 4, Funny

    Prize for proving that a product is insecure and poorly designed: the product itself!

    1. Re:Excellent idea by drgreg911 · · Score: 1

      I'm too lazy to read the article, but I assume once you've exploited it they'll fix it...doesn't seem like a bad concept to me.

  11. Free "lifetime" account* by metamatic · · Score: 2, Insightful

    *Account is only "lifetime" until they decide they don't like you.

    --
    GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
    1. Re:Free "lifetime" account* by aug24 · · Score: 2, Funny

      ...then they kill you?!

      Sheesh, these guys are much tougher than I thought. At least I only get bad karma here.

      Justin.

      --
      You're only jealous cos the little penguins are talking to me.
  12. TRANSLATION: by Anonymous Coward · · Score: 3, Funny

    "We're too incompetent and lazy to fix our own stuff. Why don't you do it for us, and for cheap/free?"

    1. Re:TRANSLATION: by Anonymous Coward · · Score: 0

      They are mostly fixing Mozilla's crap, not their own. They are even helping Mozilla to fix their crap (by implementing HttpOnly support for Mozilla), but Mozilla is too lazy to include this stuff (or does not care about security at all).

  13. Wait a minute by Anonymous Coward · · Score: 0

    Firefox has an exploit?

  14. Marketing gimmic? by joostje · · Score: 1, Interesting

    From the announcement:
    STEP 1: Go to http://www.test.dev.livejournal.org/ . Make an account. Probably need to change it to paid so you can make styles/etc.
    So to be able to help them test their security, you have to pay them? Or am I missing something?

    1. Re:Marketing gimmic? by Anonymous Coward · · Score: 0

      Click on the paid account link in the story. It's a link to the management console to set your account level.

    2. Re:Marketing gimmic? by Zorikin · · Score: 1, Troll

      I created a test account to see if they let you change status to "paid" on the test server without paying. Nope.

    3. Re:Marketing gimmic? by Anonymous Coward · · Score: 0

      Do none of you follow instructions? RTFA theres a link in it to change your account status

    4. Re:Marketing gimmic? by makomk · · Score: 2, Informative

      This got +3 Informative? You see the words "change it to paid" in the instructions linked to by Slashdot? Notice that they're a link? If you click on those, you can change your account on the test server to a "paid" one without actually paying anything. The interface is a bit bare, but it works.

      BTW, the only reason I haven't figured out a way do something *really* nasty is that they seem to have totally disabled inline style markup on comments. (I've spotted some smaller holes, but if it wasn't for that little barrier...)

    5. Re:Marketing gimmic? by Zorikin · · Score: 1

      Ah, a magic link that the gp neglected to preserve. That makes more sense. The test server's copy of the standard account upgrade page still demands a CC#.

  15. Somebody please pull a Tyler Durden on livejournal by British · · Score: 2, Funny

    Turn ALL friends-only and private entries public, so everyone can see them. Thus rendering the "piggybackers*" obsolete, all the knives in each others backs will be totally revealed. Know those negative things you said in private about your boyfriend that he didn't know about? He would know now. ...and watch armageddon happen with a bunch of moody 19 year olds. :)

  16. The Cross Site Scripting FAQ by Anonymous Coward · · Score: 1, Informative


    The Cross Site Scripting FAQ

  17. Firefox? by timbrown · · Score: 1

    Timing is a wonderful thing, I'd just published a very similar issue with IE about an hour before the Firefox issue hit full disclosure: http://www.nth-dimension.org.uk/news/entry.php?e=1 56579087. If you run IE don't feel left out, we can run arbitrary Javascript via your style sheets too.

    --
    Tim Brown
  18. Video by Anonymous Coward · · Score: 0

    Here's a video of an XSS-attack against LiveJournal:
    http://video.antichat.net/file31.html

    Looks like it happened quite a while before they acknowledged it:
    http://community.livejournal.com/lj_dev/708069.htm l

  19. OT: Secure LiveJournal RSS feeds? by Anonymous Coward · · Score: 0

    Sorry for the somewhat offtopic-ness of this post, but I imagine this is the kind of thread that will be read by people who actually know the answer or know where to tell me to look.

    The goal:
    Securely read my friend's "friends-only" livejournal posts in my RSS reader.

    If I use an rss feed in this format:
    h**ps://myusername:mypassword@www.livejournal.com/ users/myfriendsusername/data/rss?auth=digest

    My password is still sent "in the clear" (actually MD5, but still easily used for maliciousness).

    Any ideas?

    1. Re:OT: Secure LiveJournal RSS feeds? by Nurgled · · Score: 1

      Digest auth (which I assume from the URL is what LJ is using here) uses a one-time nonce as a challenge, so capturing your response would not benefit an attacker since the same response cannot be replayed. Also, the MD5 hash you're seeing your client send is based not only on your password and the nonce but also on the HTTP method being used and the URI being requested. Digest auth does have its flaws, but I think it's secure enough for this purpose.

  20. LJ bullshit by metamatic · · Score: 1

    They'll kill your account any time they dislike what you post. Paid member, lifetime member, whatever. No right of appeal, your accuser and judge remain anonymous, no compromise allowed.

    --
    GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
    1. Re:LJ bullshit by EricJay · · Score: 1
      Looks like there was plenty of opportunity for him to appeal and compromise:
      The Abuse team also state that my account will be reinstated if I agree to delete the comment. I remind them that I have already offered to delete the comment if either (a) the troll's account is suspended... or (b) the TOS is updated...
      Compromise means that to get what you want, you don't always get it on all of your own terms. Meta wanted his way, his terms... unfortunately for him, it's not his website!

      The whole case was one user posting flamebait and another taking it. Flamebait (as unpleasant as it might be) isn't against the LiveJournal TOS, but posting the offending user's real-world contact info as a response is. If only there was a website where all members of the community could work together to devalue flamebait comments...

    2. Re:LJ bullshit by metamatic · · Score: 1

      But it wasn't against the TOS at the time of the event, that's the whole point. If it had been, that would have been a different matter. And I offered to delete the comment if the TOS was corrected to prohibit it.

      --
      GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
    3. Re:LJ bullshit by aug24 · · Score: 1

      Fucking great sig btw. Any ideas how we might start a campaign to get an informationally dense statement like the below that on every single blog in the world...?

      "In 1989 the PRC violently suppressed a peaceful student protest in Tiananmen Square killing hundreds"

      90-odd letters. Not bad.

      J.

      --
      You're only jealous cos the little penguins are talking to me.
    4. Re:LJ bullshit by metamatic · · Score: 1

      Well, it's on my blog, along with others, in slightly longer form. I encourage others to spread the meme. Squeezing it into a Slashdot sig was tough.

      --
      GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
  21. +1 Insightful by Anonymous Coward · · Score: 0

    If only I had a point

  22. Re:Somebody please pull a Tyler Durden on livejour by TubeSteak · · Score: 2, Funny

    In the LJ world, we call that an "Angst-Bomb"

    Last time one of those went off, LiveJournal's servers melted down, the attempted suicides rate spiked for a week, low lying areas were flooded from the deluge of tears....

    I could go on, but I think you get the idea.

    --
    [Fuck Beta]
    o0t!
  23. Re:Personal Contact Info For LJ Hackers by weevlos · · Score: 3, Insightful

    You misspelled aempirei. He's also known as Christopher Abad, and has been featured on Slashdot before for his contributions to the security community. Something tells me such a respect figure among whitehat hackers would not have much to do with some blog defacements.

    Maybe you should stop blaming the actions of everyone who idles in that channel on a small minority of their non-livejournal-using denizens.

  24. Re:Personal Contact Info For LJ Hackers by hepkitten · · Score: 2, Informative

    Hello!

    It is true, I am the a+++ #1 mayor of Bantown! However Bantown is an independent citystate and not responsible for the actions of its citizens! That would be like the city of San Francisco being responsible because one of its citizens plans and carries on activities such as conspiracy and instigating riots! I am sorry that someone on the internet was mean to you! However carrying on some immature internet grudge against people and then trying to get other people in on it is a little high schoolish don't you think? Also excellent internet detection skillz! It must have taken you five whole minutes of reading encyclopediadramatica.com to figure out who was involved! Too bad flata has never been on #bantown in her life, hugs for effort tho!

    In conclusion: I am sorry I broke up with you and started dating someone else a week later. You weren't very good in bed and kind of boring to date. I am glad you are getting over it tho! This kind of therapy is really good, however it's probably better to do such things without trying to involved half the internet our 6month old breakup.

    I will refrain from posting your livejournal and contact information.

    not yours anymore,

    hep
    a++ #1 mayor of Bantown

    ps #bantown is an irc channel for discussion about a man fucking a chicken. Any activities regarding hacking, livejournal, or xss flaws are unrelated. Please stop by soon and see us to discuss chicken fucking!

  25. Re:Personal Contact Info For LJ Hackers by Anonymous Coward · · Score: 0

    You must have very little defense if you have to imply that this is the reason for such outrage. There are plenty (correction: few) people who are not your ex and are equally confused at to the motivation of such infantile behavior.

  26. Re:Personal Contact Info For LJ Hackers by Anonymous Coward · · Score: 0

    Thankfully, hep's ex-boyfriend is roommates with a Bantown member who takes the liberty of sniffing his traffic. We know for sure that he is responsible.

    ps BANTOWN 4 LYF!!! :D

  27. No, it's not. by Grendel+Drago · · Score: 1

    Making software bulletproof is probably impossible.

    Tell that to Dan Bernstein or Donald Knuth.

    --
    Laws do not persuade just because they threaten. --Seneca