Slashdot Mirror

← Back to Stories (view on slashdot.org)

LiveJournal XSS Security Challenge

Posted by CmdrTaco on from the now-thats-a-game-worth-playing dept.

Jamesday writes "LiveJournal is offering a free permanent account and possibly other prizes to those who find new vulnerabilities in its XSS Security Challenge. LiveJournal has recently been attacked via a Firefox XSS exploit."

11 of 66 comments (clear)

  1. I have no time for this by Steev · · Score: 5, Funny

    Maybe if the prize was something useful, I might be interested. I have my hands full exploiting MySpace.

  2. Y'know... by Grendel+Drago · · Score: 4, Interesting

    ... this wouldn't even be necessary if they'd taken security seriously in the first place, instead of tacking it on as an afterthought, or using the "eh, we can probably trust all this user-submitted content" model.

    But still, good to see them taking it seriously. Now, instead of Bantown getting an eternal newspost declaring their victory, they'll just get permanent accounts.

    --
    Laws do not persuade just because they threaten. --Seneca
    1. Re:Y'know... by laffer1 · · Score: 3, Insightful

      What I find interesting about your comment is that you admit its probably impossible to make bulletproof software, yet you think they should rewrite it "correctly". I see comments like this all the time on slashdot and on security minded lists like bugtraq, webappsec, etc. I've yet to see anyone come up with a list or example site that is "written correctly." In the rare case someone does offer an example, its usually as bad as something I'd see in a CS class. There is like one or two input fields that have very well defined input. Anyone could write secure code for that. On the Internet, its not that easy. People want to post HTML comments, invalid HTML, 10 year old HTML, javascript they generated on some site to make a button or sig come alive. Blogging sites have two target audiences, 18-30 year olds and younger people. Most younger people would prefer to use an IM client than anything else, and occasionally older people do keep blogs. Live Journal has a better range than most sites. Most people in these target groups want to post HTML comments or at least rich formatted posts.

      I don't think people realize how complex a blogging site can be. Attempting to secure a blogging site is a real task. Live journal actually has a revenue stream and paid programmers so there is less excuse for them not to try, but succeeding is another matter. In reality, if they cut of rich content posting then their users will move on to another service or simply find a OSS product they can run themselves. Then we'll have automated attacks on those scripts. I've written a blogging site in java, and its not even close to secure. I'm in the process of rewriting the whole thing in a language I'm more familiar with. Its not an easy task.

      --
      MidnightBSD: The BSD for Everyone
  3. possible other prizes by digitaldc · · Score: 4, Funny

    LiveJournal is offering a free permanent account and possibly other prizes

    Rumours are the other prizes include books on forming lasting interpersonal relationships, 7-day trips to Club Med, and the book 'Romance for Dummies.'

    --
    He who knows best knows how little he knows. - Thomas Jefferson
  4. OOOh! A shiny thing! by Gothmolly · · Score: 4, Funny

    A free LiveJournal account? Boy, my friends on MySpace will be so jealous!

    --
    I want to delete my account but Slashdot doesn't allow it.
  5. Re:Other possible prizes: by Rob+T+Firefly · · Score: 5, Insightful

    Shooting you in the head is illegal no matter what, but hacking away at a computer is only illegal if you don't have permission to do so. Otherwise, everyone who ever mplemented and tested their own security, everyone who took potshots at their own firewall, and every professional computer security tech who ever did his or her job at all, would be a criminal.

    --
    Slashdot Burying Stories About Slashdot Media Owned
  6. hacker demographic? by revery · · Score: 4, Funny

    Teenage, earth-loving, wiccan hackers unite!

    the above comment is an unfair stereotype and should be viewed with extreme suspicion

  7. Excellent idea by tdvaughan · · Score: 4, Funny

    Prize for proving that a product is insecure and poorly designed: the product itself!

  8. Re:Other possible prizes: by GCsoftware · · Score: 3, Interesting

    Yes, that's why I'm serving 25 to life for being a security consultant and there is no such thing as a penetration testing industry. Why post if you have no idea?

  9. TRANSLATION: by Anonymous Coward · · Score: 3, Funny

    "We're too incompetent and lazy to fix our own stuff. Why don't you do it for us, and for cheap/free?"

  10. Re:Personal Contact Info For LJ Hackers by weevlos · · Score: 3, Insightful

    You misspelled aempirei. He's also known as Christopher Abad, and has been featured on Slashdot before for his contributions to the security community. Something tells me such a respect figure among whitehat hackers would not have much to do with some blog defacements.

    Maybe you should stop blaming the actions of everyone who idles in that channel on a small minority of their non-livejournal-using denizens.