Details of the LiveJournal Account Hacks

An anonymous reader writes "Brian Krebs of the Washington Post has written about the recent spate of hijackings at Six Apart's popular LiveJournal service. Hundreds of journals have now been taken over by a notorious group called 'Bantown' using a series of complicated cross-site-scripting vulnerabilities. Krebs details the recent security changes made by LiveJournal in response to the takeovers." From the article: "It is unclear whether LiveJournal has managed to close the security holes that the hackers claim to have used. The company says it has, but the hackers insist there are still at least 16 other similar JavaScript flaws on the LiveJournal site that could be used conduct the same attack. [Bantown] group members said they plan to turn their attention to looking for similar flaws at another large social-networking site. "

Blog

Maybe they should write about how they did it in their blog, I mean someone elses blog.....

Poor Emos!

Nooo! Poor Emos! I can just see them shivering in a cold, dank corner, cutting themselves because their journal was hi-jacked. What is becoming of this world?!

Re:Poor Emos!

I can just see them shivering in a cold, dank corner, cutting themselves because their journal was hi-jacked.

No, they wouldn't. Because there's no longer a reason to cut themselves! No one can read or comment about it.

Re:Poor Emos!

<Pax> I wish my lawn was emo, so it would cut itself. [bash.org]

Livejournal hacks?

Someone took all the amateur porn and replaced it with goatse?

Re:Livejournal hacks?

I've seen your pictures and can definitively say that the hackers were doing the world a service.

Wake up call

This is a wake up call to people who use these services... sites like MySpace, LiveJournal, all have fancy features that do things that "users want", but at the expense of security because users don't think of/realize/care about security unless it actually results in a successful hack against them. Those who have hacked LJs might want to consider running their blog using plain text instead of all that wacky Javascript (not exactly necessary for something as basic as text on a web page). Ya get what you pay for... I'd be pretty choked if I was a LJ user who paid for a membership and had my pages all highjacked beyond repair, though...

Re:Wake up call

myspace already got owned by a javascript worm that worked it's way into millions of profiles.

now instead of fixing the site it asks you for your password 50 f*cking times a day.

it was funny

that was the funniest part of TFA:

So far, the damage has been mostly harmless. The most high-profile case so far came in mid-October when one Myspace.com user released a self-replicating computer worm that took advantage of Javascript flaws to add more than a million fellow users to his buddy list. A similar worm hit the online community Xanga on New Year's eve (there is also some strong language at this link.)

he used his worm to add people to his buddy list! that's really really funny! look how popular i am! i've got millions of friends! no one will laugh at me now!... er... i uh... yes... i wrote a worm to make friends for me....

Oh dear!

How on Earth are all those white kids in the suburbs going to express their teen angst now?

Re:Oh dear!

How on Earth are all those white kids in the suburbs going to express their teen angst now?

How on Earth are all those white kids in the suburbs going to express their teen angst now?

I wouldn't know mate. I'm in my 30s, and I use LJ to keep in touch with family and friends around the world (UK, Australia, US and South Africa mostly).

Or at least I did, until my account was hacked and locked today. A good number of other accounts are in the same boat. I just hope that the LJ admins sort it out soon. My account email address was changed to bantownlj292@mailinator.com . I just hope my posts are OK. I can't even tell at present.

Re:Oh dear!

Ever try email?

What, I should write emails to everyone I know saying "The weather in London is rubbish today....". Sorry, but different technologies are best suited to different things. I let them all know that I have an LJ, and those that want to will go and read it, if and when they want to.

Mood: Sad :(

Cross Site Scripting exploits are not going to go away until the fundamental way these these operates changes.

I bet it's myspace

I'm betting that this group will take down myspace accounts next. That website is notoriously bad for bugs and well, in my opinion is just horribly written. I guess we'll see what 'Tom' has to say ... :)

Re:I bet it's myspace

I'd be more impressed if they could index every dirty picture on MySpace and copy them all out so you could look at them in some linear way without having to work through all that annoying crap about peoples lifes. Gee at least that'd be useful.

Smells like freedom downtime

Big numbers make for good stories, you have to wonder if Bantown has actually comprised as many accounts as the reporter says they have. Looking at the latest Live journal news post, they don't seem to claim that they've closed all the holes, just that they've taken steps to make their service more secure.

How come there are no details on the exploit?

Legal Implications

In LiveJournal's TOS [livejournal.com], they state:

JOURNAL CONTENT

Guidelines for posting to your online journal shall be as follows:

1. All Content posted to LiveJournal.com in any way, is the responsibility and property of the author. LiveJournal is committed to keeping the Service in decent standing for all audiences but is not responsible for the monitoring or filtering of any journal Content. Within the confines of international and local law, LiveJournal.com will generally not place a limit on the type, or appropriateness of user content within journals. Those users posting material not suitable for all audiences must agree that they are fully responsible for all the content they have posted anywhere on the service. Should content be deemed illegal by such law having jurisdiction over the user, LiveJournal.com is committed to submitting all necessary information to the proper authorities; ....

So it sounds like they might be in trouble with people losing property, however also in the TOS:

MODIFICATIONS TO SERVICE

LiveJournal.com reserves the right to modify or discontinue, temporarily or permanently, the Service (or any part thereof) with or without notice at any time. You agree that LiveJournal.com shall not be liable to you or to any third party for any modification, suspension or discontinuance of the Service.

And there are other parts that make it sound like LiveJournal would never be in trouble for this unauthorized access parts. But really, who would bother to post their thoughts and words on a site that has no garauntee of saving them? At any minute, LiveJournal could format its servers and databases and start over with no one able to say anything.

What a DANGEROUS thing to do...

How many livejournalers are unstable?

Whatch, some overly depressed LJ'er is going to flip out and take a sledgehammer to the skulls of the perpetrators. Very dangerous to mess with the jouranls of unstable people.

*click*
*cluck*
*cluck*
*cluck*
*cluck*

Just ignore the sound of me loading rounds into my clip...you didn't hear that...

Oh no!

from the article:

Bantown claims to have figured out a way to subvert that test, and to have even released a free, open-source program that others could use to do the same.

I like how it was pointed out that this little program is "open-source" almost as if that's a bad thing.

Well...

I'm really not surprised. The LJ engine has been extremely vulnerable and these 0days are just more proof that corporate entities don't pay attention to security the way they should. The engine is written in PERL and needs a base of extensive javascript.

Its a good thing that only a few sites run the LJ engine. They tend to be rather short-lived because of LJ's vulnerability. One of the others running the LS Engine is DeadEngine, a journal for gothic, emo kids (http://www.deadjournal.com/ [deadjournal.com]).

Is Six Apart able to deal with this properly?

I've been following this lately, and Six Apart's behaviour on this situation seems quite lacking. If what the article says is true and bantown have been just stealing cookies, the only measure they took, a recent change in LJ's subdomain policy [livejournal.com] seems quite pointless, since cookies are binded to .livejournal.com, anyway.

They also don't tell us which browser is affected on the newspost. How can we be safe if we are not informed? Can Six Apart actually deal with this in a professional way? I've been noticing LiveJournal is really slow and it hangs a lot lately. It seems that they know nothing about security and are just randomly mashing buttons in a attempt to hit the nail in the head.

Is Six Apart that incompetent that they can't prevent such attacks after they have been going for days, or is this bantown group really that good?

Re:Is Six Apart able to deal with this properly?

The LiveJournal development and support staff have always been incompetent. In the past, they've compensated paid users with extensions on their subscriptions because of extended service problems they didn't seem to know how to fix. Most recently, they moved their servers from Seattle to L.A., and for the next month, nobody was receiving their comment notifications. They claimed to have fixed it, then realized they hadn't, then sort of brushed it under the rug. I'm still missing all my comment notifications from the month following November 22, 2005. (And there's no other way to follow threads in communities.)

In many ways, LiveJournal is becoming one of those sites that people only use because it's well-established. If it were new, the glaring problems with the software that runs it would leave it DOA... much like Photo.net and Slashdot.

Ahhhhh security.... in Web 2.0 land

As we move more towards applications that depend on the JavaScript enabled client (AJAX and all his relatives) we will see more of this hacking.

On the bright side, it will eventually get people to code securely in a non-trusted enviroment becuase the source code is not only available, but changeable.

Sadly, there will be a bunch of rough lessons between that wonderful future and what we have right now, espeically with all the focus on WEB 2.0 and Ajax.

Re:Ahhhhh security.... in Web 2.0 land

I don't see how it will necessarily be *more* dangerous than today... simply hit some main points.. strip script tags altogether from user input... or detect/escape them. with link tags, remove them if the href starts with "javascript:" and third, remove on* event attributes from any user inputted tags... issue resolved (for the most part)...

The problem isn't the level of javascript in a site, the problem is checking/validating user input. This is something most developers, especially professional ones, should know.

Even more appalling...

...they hacked into my LJ and corrected all the meter in my "I am sad/I want to die" goth poetry!

Details are scarce.

It would've been nice if LJ's news post on starting to fix this vulnerability had said which "popular browser" was affected.

Also, I somehow find myself suspecting that the anonymous person calling this 'Bantown' group 'notorious' is probably a member of it.

Details are scarce; all I could find in the LJ_Dev community relating to this wasone post about the effects of the first phase of the fix [livejournal.com]. Especially check Brad's comments.

Another problem of the user.

From TFA:
Bantown members said they created hundreds of dummy member accounts featuring Web links that used the Javascript flaws to steal "cookies"...

And they claim to have the cookies for nine-hundred thousand accounts?!?! I'll admit that's probably a bloated number, but even ten percent of that is impressive.

Honestly, for all the money we put towards advocating safe sex, we should be putting at least a little towards safe browsing.

How many worms/virii/exploits in the past two years have required the victim to be duped into clicking on a mysterious link, or running a file in a mysterious e-mail?

I'm not saying that I mind the earnings when I get to clean up one of those infected computers, but it's just astounding.

Great!

Great! While they're in there hacking around they can fix all the spelling errors and bad grammer so prolific in LJ

Hackers 1, Dancing JS Jesus: 0

If you want to put tons of dancing Jesus's on your page, and you get hacked, is it really that big a surprise? I'd be tempted to hack someone's blog just to shut off the Dancing Jesus on every post.

But if you get hacked for Peanut Butter Jelly Time, now there's a travesty!

Seen on a hacked page

Current mood: 0wned

MySpace

[Bantown] group members said they plan to turn their attention to looking for similar flaws at another large social-networking site.

[ says to himself ]
Please let it be MySpace. Please let it be MySpace.

Brown shirts

And this is different from going out in public and shouting down a conversation or trying to shut down a protest that you disagree with, how? These crackers are brown shirts, not heros.

Bantown! (sung in the Petula Clark style)

When your site is down & Livejournal's making you angry
You can always blame - Bantown!
When you've got blogs, all the noise and the worry
Seems to stop, I know - Bantown!
Just listen to the music of the vulnerable website
Linger on the domain where the CSS is not right
You only lose!

The lags are much longer there
You can see all your troubles, see all your fear
So go Bantown! things'll be worse when you're
Bantown! - no security measures, for sure
Bantown! - everyone's waiting on you!

This is Cross Site Scripting

I've written an FAQ on this type of attack which can be found below.
The Cross Site Scripting FAQ [cgisecurity.com]

Long Standing Xanga Vulnerability

The GNAA Security Center [www.gnaa.us] released working exploit code for the Xanga [xanga.com] blogging service (which, I might add, predates MySpace by quite a long time, and maybe LJ too).

This exploit [grok.org.uk] works because Xanga lets users insert Javascript codes into their websites. A malcious user just needs to add the code to their "Look and Feel" control panel and then the Javascript code will send the login cookies of anyone who visits their page to a remote server. Xanga has rudimentary JS filtering of "bad" functions but these filters can easily be bypassed by using the document.print method to write out the bad code across several calls (i.e. document.print("");). Xanga knows about the problem but will not fix it.

This code was used to breach security of several Xanga administrators for many months.

frequent problems

since the six apart acquisition and the moving of the data center from seattle to san francisco, livejournal has actually had perpetual technical issues. User pictures being jumbled, comment notification emails broken(this has been a reoccuring one), problems during peak load hours, community comments, and the like. Every day I look on in greater dismay as admin messages telling me something else is broken or having troubles. I like the service enough to pay for it, so I can keep in touch with old friends I've moved away from. But the 6apart and data center swap were terrible, terrible ideas that are degrading service quality inch by emo little inch.

I'm pretty sure they're not bluffing...

...about the 16 other XSS attacks.

I've reported an XSS flaw exploitable over IE to LJ over 2 years ago, and the flaw is still exploitable to this day.
(Yes, the email report was read by the right folks over at LJ.)

I'm slightly overdue to send them my yearly reminder, I think. (I should probably set up a cron job for that.)

economics

Cross Site Scripting is compounded by the fact that many of these sites use plain cookies for authentication.

A while back I decyphered mySpace's cookie encoding so I could log in as any user. I was disgusted. When I managed to chat with mySpace's CIO, and it became clear they had no intention on fixing this.

In their opinion, the economics of better security didn't make sense. Server clustering meant that traditional {fast} sessions wouldn't work, and using a database to store session info was too slow.

I'm not sure if this is still true, but at the time, advertising hit counts mattered, security did not.

Wonder why they haven't notified Californians...

as a LiveJournal user, and a California resident I'm a little confused, as per state law they are required to inform users of breaches of security like this

And now,

Cue the 500 posts about "haha, sucks for those Livejournal-using emo fucks" which help (a) put me off of Slashdot for a few days, and (b) obscure the actual information about how I should secure my account or what vulnerabilities these break-ins made use of.

I'm taking a deep breath and trying not to get in an argument with the "Livejournal is stupid" crap that will get modded funny. Just be aware that it gets on the nerves of those of us who use it, and there will inevitably be posts by people defending LJ, and then ridiculous anti-LJ evangelizing posts (as if anyone commenting on Slashdot doesn't know their way around blogs).

If you're posting anti-LJ jokes, please try to make them funny. And if you see useful information about the exploits, mod it up.

Oh, the irony

Isn't it funny how people post here about the angst-ridden LJ'ers and yet have all day to moan and complain here? Is your angst just directed toward different things?

And yes, I'm aware of the irony of me whining about other users on Slashdot. And yes, I have a LJ account.

Bantown contact info

The Bantown kids are notorious troublemakers. #bantown is juped on several EFnet servers and many networks because of their "Banbot", which invites tens of thousands of users to bantown and then kickbans them. They are pretty funny though, and I have enjoyed some of the time I have spent in their channel (when they aren't scrolling ANSI penis and goatse). You can find them at irc.rizon.net #bantown and they have a tollfree contact number at 888-LOL-WHAT. Yes, that number is real and works.

Serves LJ right...

Using Javascript was just ASKING for someone to bust in and screw with your stuff.

Funnily enough, a couple months ago LJ told me my password was too insecure. I told them they had no right to talk to me about security.

Looks like I was right after all.

For those curious

For those curious what was done with said accounts, they were also used to post a number of comments on the following posts: here [livejournal.com] here [livejournal.com] here Look at the comments.

LiveJournal is riddled with security holes.

I found a cross-site scripting hole in LiveJournal about two years ago, and wrote a very effective proof-of-concept exploit for it. I never disseminated any information about it, but it sounds like Bantown is exploiting similar vulnerabilities. LiveJournal's security is far too easy to circumvent if you can find a way to sneak JavaScript into a journal page.

Online banking and Javascript

This is not the first time that Javascript-related vulnerabilities caused trouble for a lot of people and it will not be the last time. Therefore people with common sense would like to simply turn off Javascript in the browser setting so that for example bank account information (cookies etc.) cannot be revealed to malicious web sites. But, without Javascript enabled most bank web sites cannot be accessed. By law everybody who likes to operate a car has to pass a driver's test. Why is not require at least common sense to operate a bank web site?

LJ is not the emo site you thinking of

Being a frequent livejournal user, I can tell you all with confidence that LJ has a very small population of emos. Why the hell would any emo make a livejournal when they could make a deadjournal [deadjournal.com] or a Xanga [xanga.com]?

Watch Out, CmdrTaco

"...group members said they plan to turn their attention to looking for similar flaws at another large social-networking site..."

Is Slashdot next?

Re:Easy to tame the dogs

Mod parent up, it's true. A user posted an email [livejournal.com] he got from bantown saying that on his LJ, too.

Re:Hack This Sight

I have a sight for them to hack: www.yafro.com

Imagine a photo blog with the mental age of 12, but the environment of a singles bar and the insecurities of all attention whores concentrated in one place. Shouldn't happen, should it? Well it has and it's called Yafro. Please h4x0r this sight friendly hackers. ;P

I think your sight is already hacked because you're too blind to realize that sight and site are two different things. Any just because they're pronounced the same doesn't mean they are the same thing. It's like son and sun.

Saying I wasn't going to complain anymore was a lie. I may start complaining more actually.