Slashdot Mirror

← Back to Stories (view on slashdot.org)

LiveJournal XSS Security Challenge

Posted by CmdrTaco on from the now-thats-a-game-worth-playing dept.

Jamesday writes "LiveJournal is offering a free permanent account and possibly other prizes to those who find new vulnerabilities in its XSS Security Challenge. LiveJournal has recently been attacked via a Firefox XSS exploit."

22 of 66 comments (clear)

  1. I have no time for this by Steev · · Score: 5, Funny

    Maybe if the prize was something useful, I might be interested. I have my hands full exploiting MySpace.

  2. Y'know... by Grendel+Drago · · Score: 4, Interesting

    ... this wouldn't even be necessary if they'd taken security seriously in the first place, instead of tacking it on as an afterthought, or using the "eh, we can probably trust all this user-submitted content" model.

    But still, good to see them taking it seriously. Now, instead of Bantown getting an eternal newspost declaring their victory, they'll just get permanent accounts.

    --
    Laws do not persuade just because they threaten. --Seneca
    1. Re:Y'know... by laffer1 · · Score: 3, Insightful

      What I find interesting about your comment is that you admit its probably impossible to make bulletproof software, yet you think they should rewrite it "correctly". I see comments like this all the time on slashdot and on security minded lists like bugtraq, webappsec, etc. I've yet to see anyone come up with a list or example site that is "written correctly." In the rare case someone does offer an example, its usually as bad as something I'd see in a CS class. There is like one or two input fields that have very well defined input. Anyone could write secure code for that. On the Internet, its not that easy. People want to post HTML comments, invalid HTML, 10 year old HTML, javascript they generated on some site to make a button or sig come alive. Blogging sites have two target audiences, 18-30 year olds and younger people. Most younger people would prefer to use an IM client than anything else, and occasionally older people do keep blogs. Live Journal has a better range than most sites. Most people in these target groups want to post HTML comments or at least rich formatted posts.

      I don't think people realize how complex a blogging site can be. Attempting to secure a blogging site is a real task. Live journal actually has a revenue stream and paid programmers so there is less excuse for them not to try, but succeeding is another matter. In reality, if they cut of rich content posting then their users will move on to another service or simply find a OSS product they can run themselves. Then we'll have automated attacks on those scripts. I've written a blogging site in java, and its not even close to secure. I'm in the process of rewriting the whole thing in a language I'm more familiar with. Its not an easy task.

      --
      MidnightBSD: The BSD for Everyone
    2. Re:Y'know... by shift.red.avni · · Score: 2, Informative

      They always have taken it seriously. In fact IE LJ users have been nearly invulnerable from simple (stuff that doesn't exploit IE cross-domain vulnerabilities) XSS attacks for years, because of LJ's use of HTTPONLY cookies.

      Firefox dev's have in the past explicitly ruled out supporting HTTPONLY pretty much just because Microsoft invented it. The result is Firefox users are much more vulnerable to XSS attacks that IE users.

    3. Re:Y'know... by njyoder · · Score: 2, Informative

      That won't happen. About a week ago LJ change its cookie scheme. This scheme places a cookie on www.livejournal.com which is what is required to post anything and to change account settings. All journals are under some other hostname, so it is impossible to use XSS to get that www.livejournal.com (ljmastersession) cookie unless a bug in a browser breaks its own security model (that's beyond the scope of anything a a website can do though). The also use HTTPOnly cookies for MSIE, which means that none of the cookies can be stolen for IE either (it's funny that Firefox refuses to implement this great idea just out of petty Microsoft hatred).

      These new filters they're testing right now will include whitelisting of CSS. Whitelisting, of course, is a very powerful mechanism to mitigate XSS as well. This is in addition to potentially hosting all CSS on their servers.

      Not just that, but they have implemented other features recently. One allows you to view recent logins. Another ties cookies to your subnet (in addition to the optional login option which lets you bind it to a specific ip). You can no longer change your e-mail address on your account without your password.

      So LJ has now put quite a few mechanisms in place make things more secure. So please, before ignorantly suggesting that they go back and "design it correctly," maybe you should actually READ about all the new security features implemented, including the new ones that they're testing now. But hey, I don't expect a Slashdotter to actually read and research so they know what the fuck they're talking about. After all, if LJ has a contest, it's NOT AT ALL POSSIBLE that they're testing new features that you can easily read about.

  3. Why only XSS? by Tethys_was_taken · · Score: 2, Insightful

    I haven't R'd TFA completely, but why only XSS? Why not put the bounty up on ANY vulnerability? Is there something special about XSS bugs that makes them more important than other vulnerabilities?

    Besides, I think putting up a bounty makes it more "legal" and will bring out more of the more-experienced White Hats into the game and make LJ that much safer...

    --
    StrayByte.Net
  4. possible other prizes by digitaldc · · Score: 4, Funny

    LiveJournal is offering a free permanent account and possibly other prizes

    Rumours are the other prizes include books on forming lasting interpersonal relationships, 7-day trips to Club Med, and the book 'Romance for Dummies.'

    --
    He who knows best knows how little he knows. - Thomas Jefferson
    1. Re:possible other prizes by Provocateur · · Score: 2, Funny

      The fine print:

      7-day trips to Club Med

      Actually, 7-day trips for two to Club Med, but in the event that you're going alone, doing the Han Solo thing, that'll be a 14-day trip for one. With a fully loaded mini-bar in your room if you ever get tired of 'shaking hands with the wookie'.
       

      --
      WARNING: Smartphones have side effects--most of them undocumented.
    2. Re:possible other prizes by poot_rootbeer · · Score: 2, Funny

      Rumours are the other prizes include books on forming lasting interpersonal relationships, 7-day trips to Club Med, and the book 'Romance for Dummies.'

      Y'know, those that live in Slash houses shouldn't cast stones...

  5. OOOh! A shiny thing! by Gothmolly · · Score: 4, Funny

    A free LiveJournal account? Boy, my friends on MySpace will be so jealous!

    --
    I want to delete my account but Slashdot doesn't allow it.
  6. Re:Other possible prizes: by Rob+T+Firefly · · Score: 5, Insightful

    Shooting you in the head is illegal no matter what, but hacking away at a computer is only illegal if you don't have permission to do so. Otherwise, everyone who ever mplemented and tested their own security, everyone who took potshots at their own firewall, and every professional computer security tech who ever did his or her job at all, would be a criminal.

    --
    Slashdot Burying Stories About Slashdot Media Owned
  7. hacker demographic? by revery · · Score: 4, Funny

    Teenage, earth-loving, wiccan hackers unite!

    the above comment is an unfair stereotype and should be viewed with extreme suspicion

  8. Excellent idea by tdvaughan · · Score: 4, Funny

    Prize for proving that a product is insecure and poorly designed: the product itself!

  9. Re:Other possible prizes: by GCsoftware · · Score: 3, Interesting

    Yes, that's why I'm serving 25 to life for being a security consultant and there is no such thing as a penetration testing industry. Why post if you have no idea?

  10. Free "lifetime" account* by metamatic · · Score: 2, Insightful

    *Account is only "lifetime" until they decide they don't like you.

    --
    GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
    1. Re:Free "lifetime" account* by aug24 · · Score: 2, Funny

      ...then they kill you?!

      Sheesh, these guys are much tougher than I thought. At least I only get bad karma here.

      Justin.

      --
      You're only jealous cos the little penguins are talking to me.
  11. TRANSLATION: by Anonymous Coward · · Score: 3, Funny

    "We're too incompetent and lazy to fix our own stuff. Why don't you do it for us, and for cheap/free?"

  12. Somebody please pull a Tyler Durden on livejournal by British · · Score: 2, Funny

    Turn ALL friends-only and private entries public, so everyone can see them. Thus rendering the "piggybackers*" obsolete, all the knives in each others backs will be totally revealed. Know those negative things you said in private about your boyfriend that he didn't know about? He would know now. ...and watch armageddon happen with a bunch of moody 19 year olds. :)

  13. Re:Marketing gimmic? by makomk · · Score: 2, Informative

    This got +3 Informative? You see the words "change it to paid" in the instructions linked to by Slashdot? Notice that they're a link? If you click on those, you can change your account on the test server to a "paid" one without actually paying anything. The interface is a bit bare, but it works.

    BTW, the only reason I haven't figured out a way do something *really* nasty is that they seem to have totally disabled inline style markup on comments. (I've spotted some smaller holes, but if it wasn't for that little barrier...)

  14. Re:Somebody please pull a Tyler Durden on livejour by TubeSteak · · Score: 2, Funny

    In the LJ world, we call that an "Angst-Bomb"

    Last time one of those went off, LiveJournal's servers melted down, the attempted suicides rate spiked for a week, low lying areas were flooded from the deluge of tears....

    I could go on, but I think you get the idea.

    --
    [Fuck Beta]
    o0t!
  15. Re:Personal Contact Info For LJ Hackers by weevlos · · Score: 3, Insightful

    You misspelled aempirei. He's also known as Christopher Abad, and has been featured on Slashdot before for his contributions to the security community. Something tells me such a respect figure among whitehat hackers would not have much to do with some blog defacements.

    Maybe you should stop blaming the actions of everyone who idles in that channel on a small minority of their non-livejournal-using denizens.

  16. Re:Personal Contact Info For LJ Hackers by hepkitten · · Score: 2, Informative

    Hello!

    It is true, I am the a+++ #1 mayor of Bantown! However Bantown is an independent citystate and not responsible for the actions of its citizens! That would be like the city of San Francisco being responsible because one of its citizens plans and carries on activities such as conspiracy and instigating riots! I am sorry that someone on the internet was mean to you! However carrying on some immature internet grudge against people and then trying to get other people in on it is a little high schoolish don't you think? Also excellent internet detection skillz! It must have taken you five whole minutes of reading encyclopediadramatica.com to figure out who was involved! Too bad flata has never been on #bantown in her life, hugs for effort tho!

    In conclusion: I am sorry I broke up with you and started dating someone else a week later. You weren't very good in bed and kind of boring to date. I am glad you are getting over it tho! This kind of therapy is really good, however it's probably better to do such things without trying to involved half the internet our 6month old breakup.

    I will refrain from posting your livejournal and contact information.

    not yours anymore,

    hep
    a++ #1 mayor of Bantown

    ps #bantown is an irc channel for discussion about a man fucking a chicken. Any activities regarding hacking, livejournal, or xss flaws are unrelated. Please stop by soon and see us to discuss chicken fucking!