Details of the LiveJournal Account Hacks 246
An anonymous reader writes "Brian Krebs of the Washington Post has written about the recent spate of
hijackings at Six Apart's popular LiveJournal service. Hundreds of journals have now been taken over by a
notorious group called 'Bantown' using a series of complicated cross-site-scripting vulnerabilities. Krebs details the recent security changes made by LiveJournal in response to the takeovers." From the article: "It is unclear whether LiveJournal has managed to close the security holes that the hackers claim to have used. The company says it has, but the hackers insist there are still at least 16 other similar JavaScript flaws on the LiveJournal site that could be used conduct the same attack. [Bantown] group members said they plan to turn their attention to looking for similar flaws at another large social-networking site. "
Re:Wake up call (Score:4, Interesting)
now instead of fixing the site it asks you for your password 50 f*cking times a day.
Smells like freedom downtime (Score:1, Interesting)
How come there are no details on the exploit?
Ahhhhh security.... in Web 2.0 land (Score:5, Interesting)
On the bright side, it will eventually get people to code securely in a non-trusted enviroment becuase the source code is not only available, but changeable.
Sadly, there will be a bunch of rough lessons between that wonderful future and what we have right now, espeically with all the focus on WEB 2.0 and Ajax.
Re:Ahhhhh security.... in Web 2.0 land (Score:4, Interesting)
The problem isn't the level of javascript in a site, the problem is checking/validating user input. This is something most developers, especially professional ones, should know.
Re:I don't know (Score:3, Interesting)
Re:Blog (Score:1, Interesting)
bigger / more complex / and more violent
It takes a touch of genius
and a lot of courage
to move in the opposite direction
(Einstein)
I'd like an explanation of why Flash isn't allowed [livejournal.com] beyond "shit coding". BTW, You cannot use JavaScript [...] These scripts pose a security risk [..] and are automatically stripped [...] (Last Updated: October 30th, 2005)
frequent problems (Score:2, Interesting)
I'm pretty sure they're not bluffing... (Score:3, Interesting)
I've reported an XSS flaw exploitable over IE to LJ over 2 years ago, and the flaw is still exploitable to this day.
(Yes, the email report was read by the right folks over at LJ.)
I'm slightly overdue to send them my yearly reminder, I think. (I should probably set up a cron job for that.)
economics (Score:1, Interesting)
A while back I decyphered mySpace's cookie encoding so I could log in as any user. I was disgusted. When I managed to chat with mySpace's CIO, and it became clear they had no intention on fixing this.
In their opinion, the economics of better security didn't make sense. Server clustering meant that traditional {fast} sessions wouldn't work, and using a database to store session info was too slow.
I'm not sure if this is still true, but at the time, advertising hit counts mattered, security did not.
Re:Is Six Apart able to deal with this properly? (Score:4, Interesting)
In many ways, LiveJournal is becoming one of those sites that people only use because it's well-established. If it were new, the glaring problems with the software that runs it would leave it DOA... much like Photo.net and Slashdot.
Bantown contact info (Score:2, Interesting)
For those curious (Score:2, Interesting)