Details of the LiveJournal Account Hacks

An anonymous reader writes "Brian Krebs of the Washington Post has written about the recent spate of hijackings at Six Apart's popular LiveJournal service. Hundreds of journals have now been taken over by a notorious group called 'Bantown' using a series of complicated cross-site-scripting vulnerabilities. Krebs details the recent security changes made by LiveJournal in response to the takeovers." From the article: "It is unclear whether LiveJournal has managed to close the security holes that the hackers claim to have used. The company says it has, but the hackers insist there are still at least 16 other similar JavaScript flaws on the LiveJournal site that could be used conduct the same attack. [Bantown] group members said they plan to turn their attention to looking for similar flaws at another large social-networking site. "

Re:Wake up call

[Lehk228]

myspace already got owned by a javascript worm that worked it's way into millions of profiles.

now instead of fixing the site it asks you for your password 50 f*cking times a day.

Smells like freedom downtime

[Anonymous Coward]

Big numbers make for good stories, you have to wonder if Bantown has actually comprised as many accounts as the reporter says they have. Looking at the latest Live journal news post, they don't seem to claim that they've closed all the holes, just that they've taken steps to make their service more secure.

How come there are no details on the exploit?

Ahhhhh security.... in Web 2.0 land

[TedTschopp]

As we move more towards applications that depend on the JavaScript enabled client (AJAX and all his relatives) we will see more of this hacking.

On the bright side, it will eventually get people to code securely in a non-trusted enviroment becuase the source code is not only available, but changeable.

Sadly, there will be a bunch of rough lessons between that wonderful future and what we have right now, espeically with all the focus on WEB 2.0 and Ajax.

Re:Ahhhhh security.... in Web 2.0 land

[aztracker1]

I don't see how it will necessarily be *more* dangerous than today... simply hit some main points.. strip script tags altogether from user input... or detect/escape them. with link tags, remove them if the href starts with "javascript:" and third, remove on* event attributes from any user inputted tags... issue resolved (for the most part)...

The problem isn't the level of javascript in a site, the problem is checking/validating user input. This is something most developers, especially professional ones, should know.

Re:I don't know

[neocon]

``Lambs'', of course, are innocent and defenseless. I think you mean ``wolves thrown to the farmers''...

Re:Blog

[EternityInterface]

Any intelligent fool can make things
bigger / more complex / and more violent
It takes a touch of genius
and a lot of courage
to move in the opposite direction
(Einstein)

I'd like an explanation of why Flash isn't allowed [livejournal.com] beyond "shit coding". BTW, You cannot use JavaScript [...] These scripts pose a security risk [..] and are automatically stripped [...] (Last Updated: October 30th, 2005)

frequent problems

[headonfire]

since the six apart acquisition and the moving of the data center from seattle to san francisco, livejournal has actually had perpetual technical issues. User pictures being jumbled, comment notification emails broken(this has been a reoccuring one), problems during peak load hours, community comments, and the like. Every day I look on in greater dismay as admin messages telling me something else is broken or having troubles. I like the service enough to pay for it, so I can keep in touch with old friends I've moved away from. But the 6apart and data center swap were terrible, terrible ideas that are degrading service quality inch by emo little inch.

I'm pretty sure they're not bluffing...

[metalpet]

...about the 16 other XSS attacks.

I've reported an XSS flaw exploitable over IE to LJ over 2 years ago, and the flaw is still exploitable to this day.
(Yes, the email report was read by the right folks over at LJ.)

I'm slightly overdue to send them my yearly reminder, I think. (I should probably set up a cron job for that.)

economics

[Anonymous Coward]

Cross Site Scripting is compounded by the fact that many of these sites use plain cookies for authentication.

A while back I decyphered mySpace's cookie encoding so I could log in as any user. I was disgusted. When I managed to chat with mySpace's CIO, and it became clear they had no intention on fixing this.

In their opinion, the economics of better security didn't make sense. Server clustering meant that traditional {fast} sessions wouldn't work, and using a database to store session info was too slow.

I'm not sure if this is still true, but at the time, advertising hit counts mattered, security did not.

Re:Is Six Apart able to deal with this properly?

[Max Threshold]

The LiveJournal development and support staff have always been incompetent. In the past, they've compensated paid users with extensions on their subscriptions because of extended service problems they didn't seem to know how to fix. Most recently, they moved their servers from Seattle to L.A., and for the next month, nobody was receiving their comment notifications. They claimed to have fixed it, then realized they hadn't, then sort of brushed it under the rug. I'm still missing all my comment notifications from the month following November 22, 2005. (And there's no other way to follow threads in communities.)

In many ways, LiveJournal is becoming one of those sites that people only use because it's well-established. If it were new, the glaring problems with the software that runs it would leave it DOA... much like Photo.net and Slashdot.

Bantown contact info

[Anonymous Coward]

The Bantown kids are notorious troublemakers. #bantown is juped on several EFnet servers and many networks because of their "Banbot", which invites tens of thousands of users to bantown and then kickbans them. They are pretty funny though, and I have enjoyed some of the time I have spent in their channel (when they aren't scrolling ANSI penis and goatse). You can find them at irc.rizon.net #bantown and they have a tollfree contact number at 888-LOL-WHAT. Yes, that number is real and works.

For those curious

[cythrawll]

For those curious what was done with said accounts, they were also used to post a number of comments on the following posts: here [livejournal.com] here [livejournal.com] here Look at the comments.