Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Details of the LiveJournal Account Hacks

Posted by Zonk on Fri Jan 20, 2006 02:09 PM
from the my-rss-reader-is-unhappy dept.
Privacy Security The Internet
An anonymous reader writes "Brian Krebs of the Washington Post has written about the recent spate of hijackings at Six Apart's popular LiveJournal service. Hundreds of journals have now been taken over by a notorious group called 'Bantown' using a series of complicated cross-site-scripting vulnerabilities. Krebs details the recent security changes made by LiveJournal in response to the takeovers." From the article: "It is unclear whether LiveJournal has managed to close the security holes that the hackers claim to have used. The company says it has, but the hackers insist there are still at least 16 other similar JavaScript flaws on the LiveJournal site that could be used conduct the same attack. [Bantown] group members said they plan to turn their attention to looking for similar flaws at another large social-networking site. "
+ -
story

Related Stories

[+] The Future of the Blog 144 comments
conq writes "BusinessWeek has an interesting interview with Six Apart, the company behind LiveJournal and Movable Type, about the future of blogging and the role of the blogger. From the article: 'I think blog tools can get easier to use. Putting together a blog should be as easy as sending an e-mail. I foresee the next versions of blog tools as focusing less on features that appeal to early adopters. They'll be easier for people to incorporate more media and maybe mobile capabilities. This will be important, because many more mainstream users will come to blogging. I believe the interest in blogging is just starting.'"
[+] IT: Spam War Takes Out Blog Services 315 comments
munchola writes "Following on from the story about spammers attacking Blue Security's anti-spam system, CBR is reporting that Six Apart, which runs the popular LiveJournal and TypePad blogging services, has become a collateral victim. Six Apart told its millions of bloggers it had experienced 'intermittent and limited availability for TypePad, LiveJournal, TypeKey, sixapart.com, movabletype.org and movabletype.com', before resolving the issue in the early hours of Wednesday. '[The spammers are] trying to rip apart the internet just to make our community stop fighting back against spam,' Blue Security's chief executive Eran Reshef said, adding that he knows who's behind the attack."
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Details of the LiveJournal Account Hacks 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Blog (Score:5, Funny)

    by Ribbo.com (885396) on Friday January 20 2006, @02:11PM (#14520940) Homepage
    Maybe they should write about how they did it in their blog, I mean someone elses blog.....
    • That is about all they can do. What is the point of hacking a livejournal account? I guess you could put up some ads...

      I suppose they aren't going do the nice thing of explaining these 16 supposed holes to livejournal.
      • The correct answer to any "What is the point" question is always "Because they can". Just like the idiots who insist on being the first to post to any new thread, others also crave "being the first" no matter how pointless, insignificant or downright rude it is. It will take a much smarter person than me to work out why they do it (maybe they actually want a job in internet security!)

        • It will take a much smarter person than me to work out why they do it (maybe they actually want a job in internet security!)

          I'm not smarter than you but I know that those who fuck things up for the rest of us tend to be young (chronologically or mentally) interested in "making a mark". Like peeing to claim territory.

          I'm not immune to the occasional harmless troll myself, but this is just pure abuse.
      • if you can explain that, you can explain all this weird world [encycloped...matica.com]
      • What is the point of hacking a livejournal account?

        Replacing crap with more better crap? Maybe they wanted to show of their l33t skilz and still claim moral obligation as a defense.

  • Poor Emos! (Score:4, Funny)

    by Ardeocalidus (947463) on Friday January 20 2006, @02:13PM (#14520949)
    Nooo! Poor Emos! I can just see them shivering in a cold, dank corner, cutting themselves because their journal was hi-jacked. What is becoming of this world?!

  • Wake up call (Score:4, Insightful)

    by Anonymous Coward on Friday January 20 2006, @02:13PM (#14520953)
    This is a wake up call to people who use these services... sites like MySpace, LiveJournal, all have fancy features that do things that "users want", but at the expense of security because users don't think of/realize/care about security unless it actually results in a successful hack against them. Those who have hacked LJs might want to consider running their blog using plain text instead of all that wacky Javascript (not exactly necessary for something as basic as text on a web page). Ya get what you pay for... I'd be pretty choked if I was a LJ user who paid for a membership and had my pages all highjacked beyond repair, though...

    • Re:Wake up call (Score:4, Interesting)

      by Lehk228 (705449) on Friday January 20 2006, @02:17PM (#14520998) Journal
      myspace already got owned by a javascript worm that worked it's way into millions of profiles.

      now instead of fixing the site it asks you for your password 50 f*cking times a day.

      • it was funny (Score:5, Funny)

        by conJunk (779958) on Friday January 20 2006, @02:40PM (#14521219)
        that was the funniest part of TFA:

        So far, the damage has been mostly harmless. The most high-profile case so far came in mid-October when one Myspace.com user released a self-replicating computer worm that took advantage of Javascript flaws to add more than a million fellow users to his buddy list. A similar worm hit the online community Xanga on New Year's eve (there is also some strong language at this link.)

        he used his worm to add people to his buddy list! that's really really funny! look how popular i am! i've got millions of friends! no one will laugh at me now!... er... i uh... yes... i wrote a worm to make friends for me....

    • This is a wake up call to people who use these services... sites like MySpace, LiveJournal, all have fancy features that do things that "users want", but at the expense of security because users don't think of/realize/care about security unless it actually results in a successful hack against them.

      While I agree with your point, keep in mind that the accounts in question were compromised when the account owner clicked on a web link pointing to malicious JavaScript, which then stole the appropriate LiveJou

    • these guys should watch themselves. Myspace and Livejournal are huge, and probably big business by now. I'd expect a criminal investigation, and at least a few lambs thrown to the wolves (read: jail time).

  • Oh dear! (Score:5, Funny)

    by Junky191 (549088) on Friday January 20 2006, @02:15PM (#14520963)
    How on Earth are all those white kids in the suburbs going to express their teen angst now?
    • What a dumb question.
      Clearly, they will use the new <lj-hijack> tags to drone on about the stupidity of parents, education, and responsibility on someone else's journal. ;)

    • Oh dear!-SlashBlog (Score:2, Funny)

      by Anonymous Coward
      "How on Earth are all those white kids in the suburbs going to express their teen angst now?"

      Post to Slashdot.

    • Re:Oh dear! (Score:5, Informative)

      by StrawberryFrog (67065) on Friday January 20 2006, @03:19PM (#14521569) Homepage Journal
      How on Earth are all those white kids in the suburbs going to express their teen angst now?

      How on Earth are all those white kids in the suburbs going to express their teen angst now?

      I wouldn't know mate. I'm in my 30s, and I use LJ to keep in touch with family and friends around the world (UK, Australia, US and South Africa mostly).

      Or at least I did, until my account was hacked and locked today. A good number of other accounts are in the same boat. I just hope that the LJ admins sort it out soon. My account email address was changed to bantownlj292@mailinator.com . I just hope my posts are OK. I can't even tell at present.
      • I'd mod you up if I had points. I'm almost 40 and use LJ for everything from keeping up with family to seeing who wants to go out for sushi after work. It's a place where my old friends can check up to see what I've been doing and check it again later if they forget. It serves some functions much better than email or phone.

        • Re:Oh dear! (Score:4, Insightful)

          by StrawberryFrog (67065) on Friday January 20 2006, @04:18PM (#14522109) Homepage Journal
          Ever try email?

          What, I should write emails to everyone I know saying "The weather in London is rubbish today....". Sorry, but different technologies are best suited to different things. I let them all know that I have an LJ, and those that want to will go and read it, if and when they want to.
  • I'm betting that this group will take down myspace accounts next. That website is notoriously bad for bugs and well, in my opinion is just horribly written. I guess we'll see what 'Tom' has to say ... :)

    • Re:I bet it's myspace (Score:4, Funny)

      by MikeFM (12491) on Friday January 20 2006, @04:07PM (#14522005) Homepage Journal
      I'd be more impressed if they could index every dirty picture on MySpace and copy them all out so you could look at them in some linear way without having to work through all that annoying crap about peoples lifes. Gee at least that'd be useful.

  • Legal Implications (Score:3, Informative)

    by eldavojohn (898314) * <my/.username@@@gmail.com> on Friday January 20 2006, @02:18PM (#14521018) Homepage Journal
    In LiveJournal's TOS [livejournal.com], they state:
    JOURNAL CONTENT

    Guidelines for posting to your online journal shall be as follows:

    1. All Content posted to LiveJournal.com in any way, is the responsibility and property of the author. LiveJournal is committed to keeping the Service in decent standing for all audiences but is not responsible for the monitoring or filtering of any journal Content. Within the confines of international and local law, LiveJournal.com will generally not place a limit on the type, or appropriateness of user content within journals. Those users posting material not suitable for all audiences must agree that they are fully responsible for all the content they have posted anywhere on the service. Should content be deemed illegal by such law having jurisdiction over the user, LiveJournal.com is committed to submitting all necessary information to the proper authorities; ....
    So it sounds like they might be in trouble with people losing property, however also in the TOS:
    MODIFICATIONS TO SERVICE

    LiveJournal.com reserves the right to modify or discontinue, temporarily or permanently, the Service (or any part thereof) with or without notice at any time. You agree that LiveJournal.com shall not be liable to you or to any third party for any modification, suspension or discontinuance of the Service.
    And there are other parts that make it sound like LiveJournal would never be in trouble for this unauthorized access parts. But really, who would bother to post their thoughts and words on a site that has no garauntee of saving them? At any minute, LiveJournal could format its servers and databases and start over with no one able to say anything.
  • How many livejournalers are unstable?

    Whatch, some overly depressed LJ'er is going to flip out and take a sledgehammer to the skulls of the perpetrators. Very dangerous to mess with the jouranls of unstable people.

    *click*
    *cluck*
    *cluck*
    *cluck*
    *cluck*

    Just ignore the sound of me loading rounds into my clip...you didn't hear that...

  • Oh no! (Score:2, Insightful)

    by BigZaphod (12942)
    from the article:

    Bantown claims to have figured out a way to subvert that test, and to have even released a free, open-source program that others could use to do the same.

    I like how it was pointed out that this little program is "open-source" almost as if that's a bad thing.
    • It means that people can see how it's done and try modifying it, instead of just running a binary.

      In the same way that having the source can be good when used in positive ways, you've got to admit that it's also bad when used in negative ways.
    • Bantown claims to have figured out a way to subvert that test...

      CAPTCHA images are useful, but not unbreakable. If they were planning on using that as their only line of defense against scripts, they were really kidding themselves. Simple distorted and discolored text is difficult but not impossible to crack. The CAPTCHA Project [captcha.net] is working on more sophisticated forms, using multiple words, image groups, and even audio.

  • Is Six Apart able to deal with this properly? (Score:5, Insightful)

    by mpontes (878663) on Friday January 20 2006, @02:20PM (#14521050)
    I've been following this lately, and Six Apart's behaviour on this situation seems quite lacking. If what the article says is true and bantown have been just stealing cookies, the only measure they took, a recent change in LJ's subdomain policy [livejournal.com] seems quite pointless, since cookies are binded to .livejournal.com, anyway.

    They also don't tell us which browser is affected on the newspost. How can we be safe if we are not informed? Can Six Apart actually deal with this in a professional way? I've been noticing LiveJournal is really slow and it hangs a lot lately. It seems that they know nothing about security and are just randomly mashing buttons in a attempt to hit the nail in the head.

    Is Six Apart that incompetent that they can't prevent such attacks after they have been going for days, or is this bantown group really that good?

    • Re:Is Six Apart able to deal with this properly? (Score:4, Interesting)

      by Max Threshold (540114) on Friday January 20 2006, @04:50PM (#14522378)
      The LiveJournal development and support staff have always been incompetent. In the past, they've compensated paid users with extensions on their subscriptions because of extended service problems they didn't seem to know how to fix. Most recently, they moved their servers from Seattle to L.A., and for the next month, nobody was receiving their comment notifications. They claimed to have fixed it, then realized they hadn't, then sort of brushed it under the rug. I'm still missing all my comment notifications from the month following November 22, 2005. (And there's no other way to follow threads in communities.)

      In many ways, LiveJournal is becoming one of those sites that people only use because it's well-established. If it were new, the glaring problems with the software that runs it would leave it DOA... much like Photo.net and Slashdot.

  • Ahhhhh security.... in Web 2.0 land (Score:5, Interesting)

    by TedTschopp (244839) on Friday January 20 2006, @02:21PM (#14521053) Homepage
    As we move more towards applications that depend on the JavaScript enabled client (AJAX and all his relatives) we will see more of this hacking.

    On the bright side, it will eventually get people to code securely in a non-trusted enviroment becuase the source code is not only available, but changeable.

    Sadly, there will be a bunch of rough lessons between that wonderful future and what we have right now, espeically with all the focus on WEB 2.0 and Ajax.

    • As we move more towards applications that depend on the JavaScript enabled client (AJAX and all his relatives) we will see more of this hacking.

      I wouldn't say that. Cross-site scripting is usually caused by user-supplied data being inserted into a page improperly. That's a problem with the bit that generates the HTML. Using more Javascript on a page doesn't change that; a page can use no Javascript whatsoever and still be vulnerable to cross-site scripting attacks.

    • Re:Ahhhhh security.... in Web 2.0 land (Score:4, Interesting)

      by aztracker1 (702135) on Friday January 20 2006, @02:37PM (#14521189) Homepage
      I don't see how it will necessarily be *more* dangerous than today... simply hit some main points.. strip script tags altogether from user input... or detect/escape them. with link tags, remove them if the href starts with "javascript:" and third, remove on* event attributes from any user inputted tags... issue resolved (for the most part)...

      The problem isn't the level of javascript in a site, the problem is checking/validating user input. This is something most developers, especially professional ones, should know.

  • Even more appalling... (Score:5, Funny)

    by Orrin Bloquy (898571) on Friday January 20 2006, @02:25PM (#14521077) Journal
    ...they hacked into my LJ and corrected all the meter in my "I am sad/I want to die" goth poetry!

  • Details are scarce. (Score:4, Insightful)

    by Peganthyrus (713645) on Friday January 20 2006, @02:28PM (#14521111) Homepage

    It would've been nice if LJ's news post on starting to fix this vulnerability had said which "popular browser" was affected.

    Also, I somehow find myself suspecting that the anonymous person calling this 'Bantown' group 'notorious' is probably a member of it.

    Details are scarce; all I could find in the LJ_Dev community relating to this wasone post about the effects of the first phase of the fix [livejournal.com]. Especially check Brad's comments.

    • Looks like this wasn't really a browser problem. I just spotted this in the comments section of the Post's story, probably written by the author:

      "Wiredog -- Shoot, I forgot to address that in the posting. LJ considered the flaw related to a Firefox problem, but Bantown says that's not really the issue here. From my discussion with the Bantown people: "Livejournal assumed the majority of our javascript injection attacks involved malicious code implanted in style sheets or user posts, and they have heavi
  • Great! While they're in there hacking around they can fix all the spelling errors and bad grammer so prolific in LJ
  • If you want to put tons of dancing Jesus's on your page, and you get hacked, is it really that big a surprise? I'd be tempted to hack someone's blog just to shut off the Dancing Jesus on every post.

    But if you get hacked for Peanut Butter Jelly Time, now there's a travesty!

  • Seen on a hacked page (Score:5, Funny)

    by dkleinsc (563838) on Friday January 20 2006, @02:34PM (#14521160)
    Current mood: 0wned

  • MySpace (Score:3, Funny)

    by phalse phace (454635) on Friday January 20 2006, @02:41PM (#14521226)
    [Bantown] group members said they plan to turn their attention to looking for similar flaws at another large social-networking site.

    [ says to himself ]
    Please let it be MySpace. Please let it be MySpace.

  • Bantown! (sung in the Petula Clark style) (Score:5, Funny)

    by digitaldc (879047) on Friday January 20 2006, @02:52PM (#14521323)
    When your site is down & Livejournal's making you angry
    You can always blame - Bantown!
    When you've got blogs, all the noise and the worry
    Seems to stop, I know - Bantown!
    Just listen to the music of the vulnerable website
    Linger on the domain where the CSS is not right
    You only lose!

    The lags are much longer there
    You can see all your troubles, see all your fear
    So go Bantown! things'll be worse when you're
    Bantown! - no security measures, for sure
    Bantown! - everyone's waiting on you!

  • This is Cross Site Scripting (Score:5, Informative)

    by mrkitty (584915) on Friday January 20 2006, @02:56PM (#14521366) Homepage
    I've written an FAQ on this type of attack which can be found below.
    The Cross Site Scripting FAQ [cgisecurity.com]

  • I'm pretty sure they're not bluffing... (Score:3, Interesting)

    by metalpet (557056) on Friday January 20 2006, @03:23PM (#14521616) Journal
    ...about the 16 other XSS attacks.

    I've reported an XSS flaw exploitable over IE to LJ over 2 years ago, and the flaw is still exploitable to this day.
    (Yes, the email report was read by the right folks over at LJ.)

    I'm slightly overdue to send them my yearly reminder, I think. (I should probably set up a cron job for that.)

  • And now, (Score:5, Insightful)

    by Council (514577) <rmunroe@NOSPAM.gmail.com> on Friday January 20 2006, @04:04PM (#14521976) Homepage
    Cue the 500 posts about "haha, sucks for those Livejournal-using emo fucks" which help (a) put me off of Slashdot for a few days, and (b) obscure the actual information about how I should secure my account or what vulnerabilities these break-ins made use of.

    I'm taking a deep breath and trying not to get in an argument with the "Livejournal is stupid" crap that will get modded funny. Just be aware that it gets on the nerves of those of us who use it, and there will inevitably be posts by people defending LJ, and then ridiculous anti-LJ evangelizing posts (as if anyone commenting on Slashdot doesn't know their way around blogs).

    If you're posting anti-LJ jokes, please try to make them funny. And if you see useful information about the exploits, mod it up.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.