Details of the LiveJournal Account Hacks

An anonymous reader writes "Brian Krebs of the Washington Post has written about the recent spate of hijackings at Six Apart's popular LiveJournal service. Hundreds of journals have now been taken over by a notorious group called 'Bantown' using a series of complicated cross-site-scripting vulnerabilities. Krebs details the recent security changes made by LiveJournal in response to the takeovers." From the article: "It is unclear whether LiveJournal has managed to close the security holes that the hackers claim to have used. The company says it has, but the hackers insist there are still at least 16 other similar JavaScript flaws on the LiveJournal site that could be used conduct the same attack. [Bantown] group members said they plan to turn their attention to looking for similar flaws at another large social-networking site. "

Wake up call

[Anonymous Coward]

This is a wake up call to people who use these services... sites like MySpace, LiveJournal, all have fancy features that do things that "users want", but at the expense of security because users don't think of/realize/care about security unless it actually results in a successful hack against them. Those who have hacked LJs might want to consider running their blog using plain text instead of all that wacky Javascript (not exactly necessary for something as basic as text on a web page). Ya get what you pay for... I'd be pretty choked if I was a LJ user who paid for a membership and had my pages all highjacked beyond repair, though...

Mood: Sad :(

[Real World Stuff]

Cross Site Scripting exploits are not going to go away until the fundamental way these these operates changes.

I bet it's myspace

[janvo]

I'm betting that this group will take down myspace accounts next. That website is notoriously bad for bugs and well, in my opinion is just horribly written. I guess we'll see what 'Tom' has to say ... :)

Oh no!

[BigZaphod]

from the article:

Bantown claims to have figured out a way to subvert that test, and to have even released a free, open-source program that others could use to do the same.

I like how it was pointed out that this little program is "open-source" almost as if that's a bad thing.

Re:Blog

[Ribbo.com]

The correct answer to any "What is the point" question is always "Because they can". Just like the idiots who insist on being the first to post to any new thread, others also crave "being the first" no matter how pointless, insignificant or downright rude it is. It will take a much smarter person than me to work out why they do it (maybe they actually want a job in internet security!)

Is Six Apart able to deal with this properly?

[mpontes]

I've been following this lately, and Six Apart's behaviour on this situation seems quite lacking. If what the article says is true and bantown have been just stealing cookies, the only measure they took, a recent change in LJ's subdomain policy [livejournal.com] seems quite pointless, since cookies are binded to .livejournal.com, anyway.

They also don't tell us which browser is affected on the newspost. How can we be safe if we are not informed? Can Six Apart actually deal with this in a professional way? I've been noticing LiveJournal is really slow and it hangs a lot lately. It seems that they know nothing about security and are just randomly mashing buttons in a attempt to hit the nail in the head.

Is Six Apart that incompetent that they can't prevent such attacks after they have been going for days, or is this bantown group really that good?

Re:Wake up call

[deep44]

This is a wake up call to people who use these services... sites like MySpace, LiveJournal, all have fancy features that do things that "users want", but at the expense of security because users don't think of/realize/care about security unless it actually results in a successful hack against them.

While I agree with your point, keep in mind that the accounts in question were compromised when the account owner clicked on a web link pointing to malicious JavaScript, which then stole the appropriate LiveJournal cookie. A plain text blogging service wouldn't stop this sort of thing; this problem was centered around authentication & session management.

Details are scarce.

[Peganthyrus]

It would've been nice if LJ's news post on starting to fix this vulnerability had said which "popular browser" was affected.

Also, I somehow find myself suspecting that the anonymous person calling this 'Bantown' group 'notorious' is probably a member of it.

Details are scarce; all I could find in the LJ_Dev community relating to this wasone post about the effects of the first phase of the fix [livejournal.com]. Especially check Brad's comments.

Re:Blog

[pipingguy]

It will take a much smarter person than me to work out why they do it (maybe they actually want a job in internet security!)

I'm not smarter than you but I know that those who fuck things up for the rest of us tend to be young (chronologically or mentally) interested in "making a mark". Like peeing to claim territory.

I'm not immune to the occasional harmless troll myself, but this is just pure abuse.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Poor Emos!

[EternityInterface]

"There seems to be a lot of latent hostility towards teenage girls. WTF? Your outlet is geeking out on Slashdot. Theirs is LJ. And how do you all know so much about the content of LJ anyway?" (Earlier discourse on the same subject [slashdot.org])

Re:Another problem of the user.

[MrSippyCup]

I'm tired of formating my drive every year or so becuase of the stupid combination of Windows and the internet. More work needs to be put into emulation for linux so I can enjoy my games on a good system.

Quickest Way to get it fixed..

[Anonymous Coward]

Let Slashdot know about it. GNAA/Bantown/ANUS/Buttes has a rather good track record of getting these types of ignored security holes fixed rather quickly.

And now,

[Council]

Cue the 500 posts about "haha, sucks for those Livejournal-using emo fucks" which help (a) put me off of Slashdot for a few days, and (b) obscure the actual information about how I should secure my account or what vulnerabilities these break-ins made use of.

I'm taking a deep breath and trying not to get in an argument with the "Livejournal is stupid" crap that will get modded funny. Just be aware that it gets on the nerves of those of us who use it, and there will inevitably be posts by people defending LJ, and then ridiculous anti-LJ evangelizing posts (as if anyone commenting on Slashdot doesn't know their way around blogs).

If you're posting anti-LJ jokes, please try to make them funny. And if you see useful information about the exploits, mod it up.

Re:Oh dear!

[StrawberryFrog]

Ever try email?

What, I should write emails to everyone I know saying "The weather in London is rubbish today....". Sorry, but different technologies are best suited to different things. I let them all know that I have an LJ, and those that want to will go and read it, if and when they want to.

Re:Easy to tame the dogs

[PastAustin]

The title of a post on that blog was: zomg Gr0w UP

Here is the text:

This is the most immature thing evar and I am glad to be no part of it. I am so sad when I see internet abused this way.

You terrar faggots should stop flying your pooplanes(?!) into the lj towers before we get mad and invade your butts(?!?!?!?!). like you are an iraq we will be up there in your anustowns. thank you

I'm not going to complain about anyone's typing on /. ever again... My god... Talk about immature.