LiveJournal XSS Security Challenge

Jamesday writes "LiveJournal is offering a free permanent account and possibly other prizes to those who find new vulnerabilities in its XSS Security Challenge. LiveJournal has recently been attacked via a Firefox XSS exploit."

Well..

[AWhiteFlame]

Poor guys at livejournal.. You're going to slashdot their VM test box.

Re:Well..

[Crazyscottie]

Hey, how did you know what software we were running?

-SixApart CEO

Re:Well..

[PastAustin]

Poor guys at livejournal.. You're going to slashdot their VM test box.

Poor guys at livejournal.. We did slashdot their VM test box.
That's what they get for giving it too little memory. Hey! At least the icon comes through!

I have no time for this

[Steev]

Maybe if the prize was something useful, I might be interested. I have my hands full exploiting MySpace.

Re:I have no time for this

[Muramasa]

If I ever had mod points, I'd mod you up. That was probably the funniest thing I've ever read on Slashdot.

Re:I have no time for this

[PastAustin]

Maybe if the prize was something useful, I might be interested. I have my hands full exploiting MySpace.

I was until Tom took down LOGIN for fucking repairs.
The fucking login!!! And there are MILLIONS OF PEOPLE who use that site.
Since things that suck are coming into fashion I'm wondering when Windows ME is going to make it's big comeback...

Re:I have no time for this

[DeafByBeheading]

Right. I can't imagine anyone who is both (1) qualified and (2) interested in the reward.

Y'know...

[Grendel+Drago]

... this wouldn't even be necessary if they'd taken security seriously in the first place, instead of tacking it on as an afterthought, or using the "eh, we can probably trust all this user-submitted content" model.

But still, good to see them taking it seriously. Now, instead of Bantown getting an eternal newspost declaring their victory, they'll just get permanent accounts.

Re:Y'know...

[Billosaur]

... this wouldn't even be necessary if they'd taken security seriously in the first place, instead of tacking it on as an afterthought, or using the "eh, we can probably trust all this user-submitted content" model.

Oh, but we can trust users, can't we? And what's with a little harmless hacking? Good for the spirit, good for the soul!

Making software bulletproof is probably impossible. If one coder can think something up, another can devise a way to break it or exploit it. LiveJournal is going to run their little contest, someone will come along and solve their current problem, and all the while Bantown will be finding a new exploit. Perhaps they should go back to first principles and design the site correctly.

Re:Y'know...

[laffer1]

What I find interesting about your comment is that you admit its probably impossible to make bulletproof software, yet you think they should rewrite it "correctly". I see comments like this all the time on slashdot and on security minded lists like bugtraq, webappsec, etc. I've yet to see anyone come up with a list or example site that is "written correctly." In the rare case someone does offer an example, its usually as bad as something I'd see in a CS class. There is like one or two input fields that have very well defined input. Anyone could write secure code for that. On the Internet, its not that easy. People want to post HTML comments, invalid HTML, 10 year old HTML, javascript they generated on some site to make a button or sig come alive. Blogging sites have two target audiences, 18-30 year olds and younger people. Most younger people would prefer to use an IM client than anything else, and occasionally older people do keep blogs. Live Journal has a better range than most sites. Most people in these target groups want to post HTML comments or at least rich formatted posts.

I don't think people realize how complex a blogging site can be. Attempting to secure a blogging site is a real task. Live journal actually has a revenue stream and paid programmers so there is less excuse for them not to try, but succeeding is another matter. In reality, if they cut of rich content posting then their users will move on to another service or simply find a OSS product they can run themselves. Then we'll have automated attacks on those scripts. I've written a blogging site in java, and its not even close to secure. I'm in the process of rewriting the whole thing in a language I'm more familiar with. Its not an easy task.

Re:Y'know...

[shift.red.avni]

They always have taken it seriously. In fact IE LJ users have been nearly invulnerable from simple (stuff that doesn't exploit IE cross-domain vulnerabilities) XSS attacks for years, because of LJ's use of HTTPONLY cookies.

Firefox dev's have in the past explicitly ruled out supporting HTTPONLY pretty much just because Microsoft invented it. The result is Firefox users are much more vulnerable to XSS attacks that IE users.

Re:Y'know...

[timbrown]

Cookies.... screw cookies, XSS is about so much more. As an example how about clipboard stealing, unfixed by Microsoft since 2002. :)

Re:Y'know...

[Billosaur]

I don't think people realize how complex a blogging site can be. Attempting to secure a blogging site is a real task. Live journal actually has a revenue stream and paid programmers so there is less excuse for them not to try, but succeeding is another matter.

There is a vast difference between making a site "bulletproof" and making it work "correctly." Make no mistake, any software undertaking is not easy, but when a piece of software has to interact with the outside environment, the correct procedure is to treat data like stinky fish until you can verify its integrity. I write Perl apps and the taint mode (-T) switch is my friend. It forces me to ask "what is this data and how do I know it's valid?" If I can't answer that question, I shouldn't be using it. Now, to parse blog material is tedious, because content can take on so many different internal formats, but if you stick to only allowing content a certain way and then parse consistantly, you can avoid a lot of headaches.

Hackers only get away with exploits in most cases because either a) it hasn't been patched and remains open to exploit or b) they are not ensuring that the data people are sending them is valid.

Re:Y'know...

[outZider]

Funny thing about homegrown projects is that things always get tacked on. My boss says that he "has already thought of everything." I've found that to never be true. You may be perfect in every way, but the rest of the world is not.

Stuff happens.

Re:Y'know...

[njyoder]

That won't happen. About a week ago LJ change its cookie scheme. This scheme places a cookie on www.livejournal.com which is what is required to post anything and to change account settings. All journals are under some other hostname, so it is impossible to use XSS to get that www.livejournal.com (ljmastersession) cookie unless a bug in a browser breaks its own security model (that's beyond the scope of anything a a website can do though). The also use HTTPOnly cookies for MSIE, which means that none of the cookies can be stolen for IE either (it's funny that Firefox refuses to implement this great idea just out of petty Microsoft hatred).

These new filters they're testing right now will include whitelisting of CSS. Whitelisting, of course, is a very powerful mechanism to mitigate XSS as well. This is in addition to potentially hosting all CSS on their servers.

Not just that, but they have implemented other features recently. One allows you to view recent logins. Another ties cookies to your subnet (in addition to the optional login option which lets you bind it to a specific ip). You can no longer change your e-mail address on your account without your password.

So LJ has now put quite a few mechanisms in place make things more secure. So please, before ignorantly suggesting that they go back and "design it correctly," maybe you should actually READ about all the new security features implemented, including the new ones that they're testing now. But hey, I don't expect a Slashdotter to actually read and research so they know what the fuck they're talking about. After all, if LJ has a contest, it's NOT AT ALL POSSIBLE that they're testing new features that you can easily read about.

well, obviously

[negaluke]

one major vulnerability is it's location; based in the corporeal world, all an enterprising ne'er-do-well would have to do is instigate fire, flood, hurricane, volcano, meteor or godzilla-related damage. i'll take my free permanent account whenever you're ready.

Other possible prizes:

[RandoX]

Matching steel bracelets? Just because LJ encourages it doesn't make it legal. At the very least, it's probably a violation of the TOS of your ISP.

Re:Other possible prizes:

[Rob+T+Firefly]

I LJ is giving you permission to throw what you can at them, doing so can hardly be seen as wrong in the eyes of your ISP or the law.

Re:Other possible prizes:

[RandoX]

So if I were to say, "I'm tired of my life. Please use this gun and shoot me in the head." and you did, do you think you aren't going for a ride in the back of the police car? Perhaps an extreme analogy, but I highly doubt that your ISP's TOS or applicable laws have a clause for "unless they asked for it".

Re:Other possible prizes:

[Rob+T+Firefly]

Shooting you in the head is illegal no matter what, but hacking away at a computer is only illegal if you don't have permission to do so. Otherwise, everyone who ever mplemented and tested their own security, everyone who took potshots at their own firewall, and every professional computer security tech who ever did his or her job at all, would be a criminal.

Re:Other possible prizes:

[GCsoftware]

Yes, that's why I'm serving 25 to life for being a security consultant and there is no such thing as a penetration testing industry. Why post if you have no idea?

Re:Other possible prizes:

[gavri]

You are not supposed to hack away on http://www.livejournal.com/

They provide a sandbox: http://www.test.dev.livejournal.org/

Re:Other possible prizes:

[RandoX]

From the Time Warner Acceptable Use policy:

The ISP Service may not be used to breach or attempt to breach the security, the computer, the software or the data of any person or entity, including Operator, to circumvent the user authentication features or security of any host, network or account, to use or distribute tools designed to compromise security, or to interfere with another?s use of the ISP Service through the posting or transmitting of a virus or other harmful item to deliberately overload or flood that entity's system.

You'll notice, like I said, that there is no provision for "unless he asked for it".

Re:Other possible prizes:

violating the TOS for this purpose isnt criminal, as no laws are being broken.

Re:Other possible prizes:

[makomk]

It was a very good sandbox too, until hordes of Slashdotters came along and carried out all the sand on their shoes :-(

Re:Other possible prizes:

[Minwee]

"Why post if you have no idea?"

I see that this is your first time on Slashdot. Don't worry, it takes some time to get used to how we do things here but eventually it will all make sense.

Why only XSS?

[Tethys_was_taken]

I haven't R'd TFA completely, but why only XSS? Why not put the bounty up on ANY vulnerability? Is there something special about XSS bugs that makes them more important than other vulnerabilities?

Besides, I think putting up a bounty makes it more "legal" and will bring out more of the more-experienced White Hats into the game and make LJ that much safer...

possible other prizes

[digitaldc]

LiveJournal is offering a free permanent account and possibly other prizes

Rumours are the other prizes include books on forming lasting interpersonal relationships, 7-day trips to Club Med, and the book 'Romance for Dummies.'

Re:possible other prizes

[Provocateur]

The fine print:

7-day trips to Club Med

Actually, 7-day trips for two to Club Med, but in the event that you're going alone, doing the Han Solo thing, that'll be a 14-day trip for one. With a fully loaded mini-bar in your room if you ever get tired of 'shaking hands with the wookie'.
 

Re:possible other prizes

[poot_rootbeer]

Rumours are the other prizes include books on forming lasting interpersonal relationships, 7-day trips to Club Med, and the book 'Romance for Dummies.'

Y'know, those that live in Slash houses shouldn't cast stones...

OOOh! A shiny thing!

[Gothmolly]

A free LiveJournal account? Boy, my friends on MySpace will be so jealous!

hacker demographic?

[revery]

Teenage, earth-loving, wiccan hackers unite!

the above comment is an unfair stereotype and should be viewed with extreme suspicion

Excellent idea

[tdvaughan]

Prize for proving that a product is insecure and poorly designed: the product itself!

Re:Excellent idea

[drgreg911]

I'm too lazy to read the article, but I assume once you've exploited it they'll fix it...doesn't seem like a bad concept to me.

Free "lifetime" account*

[metamatic]

*Account is only "lifetime" until they decide they don't like you.

Re:Free "lifetime" account*

[aug24]

...then they kill you?!

Sheesh, these guys are much tougher than I thought. At least I only get bad karma here.

Justin.

TRANSLATION:

"We're too incompetent and lazy to fix our own stuff. Why don't you do it for us, and for cheap/free?"

Re:TRANSLATION:

They are mostly fixing Mozilla's crap, not their own. They are even helping Mozilla to fix their crap (by implementing HttpOnly support for Mozilla), but Mozilla is too lazy to include this stuff (or does not care about security at all).

Wait a minute

Firefox has an exploit?

Marketing gimmic?

[joostje]

From the announcement:
STEP 1: Go to http://www.test.dev.livejournal.org/ . Make an account. Probably need to change it to paid so you can make styles/etc.
So to be able to help them test their security, you have to pay them? Or am I missing something?

Re:Marketing gimmic?

Click on the paid account link in the story. It's a link to the management console to set your account level.

Re:Marketing gimmic?

[Zorikin]

I created a test account to see if they let you change status to "paid" on the test server without paying. Nope.

Re:Marketing gimmic?

Do none of you follow instructions? RTFA theres a link in it to change your account status

Re:Marketing gimmic?

[makomk]

This got +3 Informative? You see the words "change it to paid" in the instructions linked to by Slashdot? Notice that they're a link? If you click on those, you can change your account on the test server to a "paid" one without actually paying anything. The interface is a bit bare, but it works.

BTW, the only reason I haven't figured out a way do something *really* nasty is that they seem to have totally disabled inline style markup on comments. (I've spotted some smaller holes, but if it wasn't for that little barrier...)

Re:Marketing gimmic?

[Zorikin]

Ah, a magic link that the gp neglected to preserve. That makes more sense. The test server's copy of the standard account upgrade page still demands a CC#.

Somebody please pull a Tyler Durden on livejournal

[British]

Turn ALL friends-only and private entries public, so everyone can see them. Thus rendering the "piggybackers*" obsolete, all the knives in each others backs will be totally revealed. Know those negative things you said in private about your boyfriend that he didn't know about? He would know now. ...and watch armageddon happen with a bunch of moody 19 year olds. :)

The Cross Site Scripting FAQ

The Cross Site Scripting FAQ

Firefox?

[timbrown]

Timing is a wonderful thing, I'd just published a very similar issue with IE about an hour before the Firefox issue hit full disclosure: http://www.nth-dimension.org.uk/news/entry.php?e=1 56579087. If you run IE don't feel left out, we can run arbitrary Javascript via your style sheets too.

Huh.

[James+A.+V.+Joyce]

I bet the "free permanent account" lasts only until the publicity dies down, at which point posting anything slightly controversial will provoke LJ Abuse into banning your account under spurious TOS violations.

Video

Here's a video of an XSS-attack against LiveJournal:
http://video.antichat.net/file31.html

Looks like it happened quite a while before they acknowledged it:
http://community.livejournal.com/lj_dev/708069.htm l

OT: Secure LiveJournal RSS feeds?

Sorry for the somewhat offtopic-ness of this post, but I imagine this is the kind of thread that will be read by people who actually know the answer or know where to tell me to look.

The goal:
Securely read my friend's "friends-only" livejournal posts in my RSS reader.

If I use an rss feed in this format:
h**ps://myusername:mypassword@www.livejournal.com/ users/myfriendsusername/data/rss?auth=digest

My password is still sent "in the clear" (actually MD5, but still easily used for maliciousness).

Any ideas?

Re:OT: Secure LiveJournal RSS feeds?

[Nurgled]

Digest auth (which I assume from the URL is what LJ is using here) uses a one-time nonce as a challenge, so capturing your response would not benefit an attacker since the same response cannot be replayed. Also, the MD5 hash you're seeing your client send is based not only on your password and the nonce but also on the HTTP method being used and the URI being requested. Digest auth does have its flaws, but I think it's secure enough for this purpose.

LJ bullshit

[metamatic]

They'll kill your account any time they dislike what you post. Paid member, lifetime member, whatever. No right of appeal, your accuser and judge remain anonymous, no compromise allowed.

Re:LJ bullshit

[EricJay]

Looks like there was plenty of opportunity for him to appeal and compromise:

The Abuse team also state that my account will be reinstated if I agree to delete the comment. I remind them that I have already offered to delete the comment if either (a) the troll's account is suspended... or (b) the TOS is updated...

Compromise means that to get what you want, you don't always get it on all of your own terms. Meta wanted his way, his terms... unfortunately for him, it's not his website!

The whole case was one user posting flamebait and another taking it. Flamebait (as unpleasant as it might be) isn't against the LiveJournal TOS, but posting the offending user's real-world contact info as a response is. If only there was a website where all members of the community could work together to devalue flamebait comments...

Re:LJ bullshit

[metamatic]

But it wasn't against the TOS at the time of the event, that's the whole point. If it had been, that would have been a different matter. And I offered to delete the comment if the TOS was corrected to prohibit it.

Re:LJ bullshit

[aug24]

Fucking great sig btw. Any ideas how we might start a campaign to get an informationally dense statement like the below that on every single blog in the world...?

"In 1989 the PRC violently suppressed a peaceful student protest in Tiananmen Square killing hundreds"

90-odd letters. Not bad.

J.

Re:LJ bullshit

[metamatic]

Well, it's on my blog, along with others, in slightly longer form. I encourage others to spread the meme. Squeezing it into a Slashdot sig was tough.

+1 Insightful

If only I had a point

Personal Contact Info For LJ Hackers

As the original slashdot post on this topic mentioned, this exploit seems to be the work of a few assholes from an irc channel called bantown. These lame-asses got kicked off their last chatnet for pissing off the wrong botnet operators and getting the network DOS'ed. These days they hang out on irc.rizon.net #bantown if you want to tell them exactly how thrilled you are with their behavior. After all, everyone loves a group that uses an exploit like this to create LOLZ instead of notifying the proper folks within LJ so they can patch it up properly, right?

Here's the livejournals of a few people known to hang out in #bantown:

• Hep
• Sherrod
• aempiri
• aml
• oclet
• zb
• flata (uncomfirmed)

I can't confirm 100% either way that these people are personally involved in all of this mess or not, but at the very least, why don't you click on through and let them know what you think about the people they hang out with? After all, you can tell a lot about a person by the company they keep.

It'd be a real shame if someone exploited their Lj accounts in the same way they've been exploiting others'. A real fucking shame. It'd be even more of a shame if something happened to their irc net. I bet we'd all feel real fucking bad for them.

Re:Personal Contact Info For LJ Hackers

[weevlos]

You misspelled aempirei. He's also known as Christopher Abad, and has been featured on Slashdot before for his contributions to the security community. Something tells me such a respect figure among whitehat hackers would not have much to do with some blog defacements.

Maybe you should stop blaming the actions of everyone who idles in that channel on a small minority of their non-livejournal-using denizens.

Re:Personal Contact Info For LJ Hackers

[hepkitten]

Hello!

It is true, I am the a+++ #1 mayor of Bantown! However Bantown is an independent citystate and not responsible for the actions of its citizens! That would be like the city of San Francisco being responsible because one of its citizens plans and carries on activities such as conspiracy and instigating riots! I am sorry that someone on the internet was mean to you! However carrying on some immature internet grudge against people and then trying to get other people in on it is a little high schoolish don't you think? Also excellent internet detection skillz! It must have taken you five whole minutes of reading encyclopediadramatica.com to figure out who was involved! Too bad flata has never been on #bantown in her life, hugs for effort tho!

In conclusion: I am sorry I broke up with you and started dating someone else a week later. You weren't very good in bed and kind of boring to date. I am glad you are getting over it tho! This kind of therapy is really good, however it's probably better to do such things without trying to involved half the internet our 6month old breakup.

I will refrain from posting your livejournal and contact information.

not yours anymore,

hep
a++ #1 mayor of Bantown

ps #bantown is an irc channel for discussion about a man fucking a chicken. Any activities regarding hacking, livejournal, or xss flaws are unrelated. Please stop by soon and see us to discuss chicken fucking!

Re:Personal Contact Info For LJ Hackers

You must have very little defense if you have to imply that this is the reason for such outrage. There are plenty (correction: few) people who are not your ex and are equally confused at to the motivation of such infantile behavior.

Re:Personal Contact Info For LJ Hackers

Thankfully, hep's ex-boyfriend is roommates with a Bantown member who takes the liberty of sniffing his traffic. We know for sure that he is responsible.

ps BANTOWN 4 LYF!!! :D

Re:Somebody please pull a Tyler Durden on livejour

[TubeSteak]

In the LJ world, we call that an "Angst-Bomb"

Last time one of those went off, LiveJournal's servers melted down, the attempted suicides rate spiked for a week, low lying areas were flooded from the deluge of tears....

I could go on, but I think you get the idea.

mod 04

Serves to reinfo8ce

No, it's not.

[Grendel+Drago]

Making software bulletproof is probably impossible.

Tell that to Dan Bernstein or Donald Knuth.