Slashdot Mirror

← Back to Stories (view on slashdot.org)

LiveJournal XSS Security Challenge

Posted by CmdrTaco on from the now-thats-a-game-worth-playing dept.

Jamesday writes "LiveJournal is offering a free permanent account and possibly other prizes to those who find new vulnerabilities in its XSS Security Challenge. LiveJournal has recently been attacked via a Firefox XSS exploit."

5 of 66 comments (clear)

  1. Why only XSS? by Tethys_was_taken · · Score: 2, Insightful

    I haven't R'd TFA completely, but why only XSS? Why not put the bounty up on ANY vulnerability? Is there something special about XSS bugs that makes them more important than other vulnerabilities?

    Besides, I think putting up a bounty makes it more "legal" and will bring out more of the more-experienced White Hats into the game and make LJ that much safer...

    --
    StrayByte.Net
  2. Re:Other possible prizes: by Rob+T+Firefly · · Score: 5, Insightful

    Shooting you in the head is illegal no matter what, but hacking away at a computer is only illegal if you don't have permission to do so. Otherwise, everyone who ever mplemented and tested their own security, everyone who took potshots at their own firewall, and every professional computer security tech who ever did his or her job at all, would be a criminal.

    --
    Slashdot Burying Stories About Slashdot Media Owned
  3. Free "lifetime" account* by metamatic · · Score: 2, Insightful

    *Account is only "lifetime" until they decide they don't like you.

    --
    GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
  4. Re:Y'know... by laffer1 · · Score: 3, Insightful

    What I find interesting about your comment is that you admit its probably impossible to make bulletproof software, yet you think they should rewrite it "correctly". I see comments like this all the time on slashdot and on security minded lists like bugtraq, webappsec, etc. I've yet to see anyone come up with a list or example site that is "written correctly." In the rare case someone does offer an example, its usually as bad as something I'd see in a CS class. There is like one or two input fields that have very well defined input. Anyone could write secure code for that. On the Internet, its not that easy. People want to post HTML comments, invalid HTML, 10 year old HTML, javascript they generated on some site to make a button or sig come alive. Blogging sites have two target audiences, 18-30 year olds and younger people. Most younger people would prefer to use an IM client than anything else, and occasionally older people do keep blogs. Live Journal has a better range than most sites. Most people in these target groups want to post HTML comments or at least rich formatted posts.

    I don't think people realize how complex a blogging site can be. Attempting to secure a blogging site is a real task. Live journal actually has a revenue stream and paid programmers so there is less excuse for them not to try, but succeeding is another matter. In reality, if they cut of rich content posting then their users will move on to another service or simply find a OSS product they can run themselves. Then we'll have automated attacks on those scripts. I've written a blogging site in java, and its not even close to secure. I'm in the process of rewriting the whole thing in a language I'm more familiar with. Its not an easy task.

    --
    MidnightBSD: The BSD for Everyone
  5. Re:Personal Contact Info For LJ Hackers by weevlos · · Score: 3, Insightful

    You misspelled aempirei. He's also known as Christopher Abad, and has been featured on Slashdot before for his contributions to the security community. Something tells me such a respect figure among whitehat hackers would not have much to do with some blog defacements.

    Maybe you should stop blaming the actions of everyone who idles in that channel on a small minority of their non-livejournal-using denizens.