Details of the LiveJournal Account Hacks 246
An anonymous reader writes "Brian Krebs of the Washington Post has written about the recent spate of
hijackings at Six Apart's popular LiveJournal service. Hundreds of journals have now been taken over by a
notorious group called 'Bantown' using a series of complicated cross-site-scripting vulnerabilities. Krebs details the recent security changes made by LiveJournal in response to the takeovers." From the article: "It is unclear whether LiveJournal has managed to close the security holes that the hackers claim to have used. The company says it has, but the hackers insist there are still at least 16 other similar JavaScript flaws on the LiveJournal site that could be used conduct the same attack. [Bantown] group members said they plan to turn their attention to looking for similar flaws at another large social-networking site. "
Wake up call (Score:4, Insightful)
Mood: Sad :( (Score:1, Insightful)
I bet it's myspace (Score:2, Insightful)
Oh no! (Score:2, Insightful)
Bantown claims to have figured out a way to subvert that test, and to have even released a free, open-source program that others could use to do the same.
I like how it was pointed out that this little program is "open-source" almost as if that's a bad thing.
Re:Blog (Score:3, Insightful)
Is Six Apart able to deal with this properly? (Score:5, Insightful)
They also don't tell us which browser is affected on the newspost. How can we be safe if we are not informed? Can Six Apart actually deal with this in a professional way? I've been noticing LiveJournal is really slow and it hangs a lot lately. It seems that they know nothing about security and are just randomly mashing buttons in a attempt to hit the nail in the head.
Is Six Apart that incompetent that they can't prevent such attacks after they have been going for days, or is this bantown group really that good?
Re:Wake up call (Score:3, Insightful)
Details are scarce. (Score:4, Insightful)
It would've been nice if LJ's news post on starting to fix this vulnerability had said which "popular browser" was affected.
Also, I somehow find myself suspecting that the anonymous person calling this 'Bantown' group 'notorious' is probably a member of it.
Details are scarce; all I could find in the LJ_Dev community relating to this wasone post about the effects of the first phase of the fix [livejournal.com]. Especially check Brad's comments.
Re:Blog (Score:3, Insightful)
It will take a much smarter person than me to work out why they do it (maybe they actually want a job in internet security!)
I'm not smarter than you but I know that those who fuck things up for the rest of us tend to be young (chronologically or mentally) interested in "making a mark". Like peeing to claim territory.
I'm not immune to the occasional harmless troll myself, but this is just pure abuse.
Comment removed (Score:1, Insightful)
Re:Poor Emos! (Score:1, Insightful)
Re:Another problem of the user. (Score:1, Insightful)
Quickest Way to get it fixed.. (Score:1, Insightful)
And now, (Score:5, Insightful)
I'm taking a deep breath and trying not to get in an argument with the "Livejournal is stupid" crap that will get modded funny. Just be aware that it gets on the nerves of those of us who use it, and there will inevitably be posts by people defending LJ, and then ridiculous anti-LJ evangelizing posts (as if anyone commenting on Slashdot doesn't know their way around blogs).
If you're posting anti-LJ jokes, please try to make them funny. And if you see useful information about the exploits, mod it up.
Re:Oh dear! (Score:4, Insightful)
What, I should write emails to everyone I know saying "The weather in London is rubbish today....". Sorry, but different technologies are best suited to different things. I let them all know that I have an LJ, and those that want to will go and read it, if and when they want to.
Re:Easy to tame the dogs (Score:2, Insightful)
Here is the text:
I'm not going to complain about anyone's typing on