Details of the LiveJournal Account Hacks

An anonymous reader writes "Brian Krebs of the Washington Post has written about the recent spate of hijackings at Six Apart's popular LiveJournal service. Hundreds of journals have now been taken over by a notorious group called 'Bantown' using a series of complicated cross-site-scripting vulnerabilities. Krebs details the recent security changes made by LiveJournal in response to the takeovers." From the article: "It is unclear whether LiveJournal has managed to close the security holes that the hackers claim to have used. The company says it has, but the hackers insist there are still at least 16 other similar JavaScript flaws on the LiveJournal site that could be used conduct the same attack. [Bantown] group members said they plan to turn their attention to looking for similar flaws at another large social-networking site. "

Blog

[Ribbo.com]

Maybe they should write about how they did it in their blog, I mean someone elses blog.....

Re:Blog

[dirvish]

That is about all they can do. What is the point of hacking a livejournal account? I guess you could put up some ads...

I suppose they aren't going do the nice thing of explaining these 16 supposed holes to livejournal.

Re:Blog

[Ribbo.com]

The correct answer to any "What is the point" question is always "Because they can". Just like the idiots who insist on being the first to post to any new thread, others also crave "being the first" no matter how pointless, insignificant or downright rude it is. It will take a much smarter person than me to work out why they do it (maybe they actually want a job in internet security!)

Re:Blog

[pipingguy]

It will take a much smarter person than me to work out why they do it (maybe they actually want a job in internet security!)

I'm not smarter than you but I know that those who fuck things up for the rest of us tend to be young (chronologically or mentally) interested in "making a mark". Like peeing to claim territory.

I'm not immune to the occasional harmless troll myself, but this is just pure abuse.

Re:Blog

[mmkkbb]

if you can explain that, you can explain all this weird world [encycloped...matica.com]

Re:Blog

[springbox]

[encyclopediadramatica.com]

I'm a little put off how there appears to be multiple ads for ban saws on the side of the main page

Re:Blog

[Shadow Wrought]

What is the point of hacking a livejournal account?

Replacing crap with more better crap? Maybe they wanted to show of their l33t skilz and still claim moral obligation as a defense.

Poor Emos!

[Ardeocalidus]

Nooo! Poor Emos! I can just see them shivering in a cold, dank corner, cutting themselves because their journal was hi-jacked. What is becoming of this world?!

Re:Poor Emos!

[hkgroove]

I can just see them shivering in a cold, dank corner, cutting themselves because their journal was hi-jacked.

No, they wouldn't. Because there's no longer a reason to cut themselves! No one can read or comment about it.

Re:Poor Emos!

[j_kenpo]

Damned, Now I know I'm old. Apparently the whole "Emo" scene sprouted up around me, and I had no idea. I had to look that up. Scarry... now get off my lawn.

Re:Poor Emos!

[ZeroExistenZ]

<Pax> I wish my lawn was emo, so it would cut itself. [bash.org]

Re:Poor Emos!

[dr_dank]

Nooo! Poor Emos! I can just see them shivering in a cold, dank corner

Don't worry, I don't let those pansies anywhere near my corner.

Wake up call

[Anonymous Coward]

This is a wake up call to people who use these services... sites like MySpace, LiveJournal, all have fancy features that do things that "users want", but at the expense of security because users don't think of/realize/care about security unless it actually results in a successful hack against them. Those who have hacked LJs might want to consider running their blog using plain text instead of all that wacky Javascript (not exactly necessary for something as basic as text on a web page). Ya get what you pay for... I'd be pretty choked if I was a LJ user who paid for a membership and had my pages all highjacked beyond repair, though...

Re:Wake up call

[Lehk228]

myspace already got owned by a javascript worm that worked it's way into millions of profiles.

now instead of fixing the site it asks you for your password 50 f*cking times a day.

it was funny

[conJunk]

that was the funniest part of TFA:

So far, the damage has been mostly harmless. The most high-profile case so far came in mid-October when one Myspace.com user released a self-replicating computer worm that took advantage of Javascript flaws to add more than a million fellow users to his buddy list. A similar worm hit the online community Xanga on New Year's eve (there is also some strong language at this link.)

he used his worm to add people to his buddy list! that's really really funny! look how popular i am! i've got millions of friends! no one will laugh at me now!... er... i uh... yes... i wrote a worm to make friends for me....

Re:Wake up call

[Neoprofin]

1) The problem was actually in IE's ability to fix and execute broken CSS code which allowed him to input a broken call to a script to get it past the filters and then have IE fix and execute it. THe author himself took down his profile to stop the spread and after a few hours of downtime the problem was fixed, in fact there's a /. article about it. 2) You have to enter your password every time you log out, which is every time you close your browser. Never close the browser never log out. Simple.

Re:Wake up call

[Lehk228]

it's more than just every time you log out almost any time you follow a link form outside myspace in you have to log in, even if you have another window already logged in.

1998 called and wants their hairy spaghetti code website back

Re:Wake up call

[deep44]

This is a wake up call to people who use these services... sites like MySpace, LiveJournal, all have fancy features that do things that "users want", but at the expense of security because users don't think of/realize/care about security unless it actually results in a successful hack against them.

While I agree with your point, keep in mind that the accounts in question were compromised when the account owner clicked on a web link pointing to malicious JavaScript, which then stole the appropriate LiveJou

I don't know

[rsilvergun]

these guys should watch themselves. Myspace and Livejournal are huge, and probably big business by now. I'd expect a criminal investigation, and at least a few lambs thrown to the wolves (read: jail time).

Re:I don't know

[neocon]

``Lambs'', of course, are innocent and defenseless. I think you mean ``wolves thrown to the farmers''...

Re:I don't know

[rsilvergun]

I guess it depends on how you look at it. Most of these guys are just punk kids playing digital vandal without the slightest clue as to the world of hurt they'll be in if they get caught. Does a kid with a can of spray paint expect to face years in jail and millions of fines? From the perspective of a script kiddie that's all they really are. It's not that they're innocent, I'm just saying they probably don't have a clue of the scale of things here.

Re:I don't know

[neocon]

No, you're right -- my analogy was extremely unfair...

... to the wolf. At least the wolf, when it breaks into the fold, is trying to feed itself and its pack. These punk kids are just breaking things for the joy of hearing them break. It's not like it's 1983 again, either -- these things have been against the law (and the law has been enforced) for the entire lifetime of some college freshman now downloading shellcode which he couldn't write and doesn't really understand.

Throw the book at 'em. :-)

Re:Wake up call

[dirvish]

Ummm, no suprise, 'cause it is already. The company that created recently sold for half a billion dollars.

Oh dear!

[Junky191]

How on Earth are all those white kids in the suburbs going to express their teen angst now?

Re:Oh dear!

[smittyoneeach]

What a dumb question.
Clearly, they will use the new <lj-hijack> tags to drone on about the stupidity of parents, education, and responsibility on someone else's journal. ;)

Oh dear!-SlashBlog

[Anonymous Coward]

"How on Earth are all those white kids in the suburbs going to express their teen angst now?"

Post to Slashdot.

Oblig. Family Guy...

[everphilski]

(Chris paints some abstract art and gives it to his father for his birthday)

"Its partially an expression of my teenage angst... But mostly it's a moo-cow!"

Re:Oh dear!

[StrawberryFrog]

How on Earth are all those white kids in the suburbs going to express their teen angst now?

How on Earth are all those white kids in the suburbs going to express their teen angst now?

I wouldn't know mate. I'm in my 30s, and I use LJ to keep in touch with family and friends around the world (UK, Australia, US and South Africa mostly).

Or at least I did, until my account was hacked and locked today. A good number of other accounts are in the same boat. I just hope that the LJ admins sort it out soon. My account email address was changed to bantownlj292@mailinator.com . I just hope my posts are OK. I can't even tell at present.

Re:Oh dear!

[ZeroExistenZ]

Check your inbox [mailinator.com]

Mailinator is an annonymous "spamtrap" email system accessable for everyone.

Re:Oh dear!

[StrawberryFrog]

Update: We're back! Thanks, "Natasha, LiveJournal Abuse Team" I really apprecate the swift reinstatement.

Mod up.

[painandgreed]

I'd mod you up if I had points. I'm almost 40 and use LJ for everything from keeping up with family to seeing who wants to go out for sushi after work. It's a place where my old friends can check up to see what I've been doing and check it again later if they forget. It serves some functions much better than email or phone.

Re:A serious question

[vertinox]

Or at least I did, until my account was hacked and locked today.

A question for my own reference. By chance, do you use windows? And if you do, do you use Internet Explorer 6?

Re:A serious question

[StrawberryFrog]

1) Yes, Windows XP
2) No, Firefox 1.5 thankyouverymuch.

Re:A serious question

[vertinox]

Oh wow. I wonder if they brute forced your account or did they get fire fox to somehow comprimise your account?

Re:A serious question

[StrawberryFrog]

Apparently it was done due to flaws in Lj's secutiry model, judging by friends acounts, it happened to about 5% of the total LJ population today.

Re:Oh dear!

[StrawberryFrog]

Ever try email?

What, I should write emails to everyone I know saying "The weather in London is rubbish today....". Sorry, but different technologies are best suited to different things. I let them all know that I have an LJ, and those that want to will go and read it, if and when they want to.

I bet it's myspace

[janvo]

I'm betting that this group will take down myspace accounts next. That website is notoriously bad for bugs and well, in my opinion is just horribly written. I guess we'll see what 'Tom' has to say ... :)

Re:I bet it's myspace

[porkThreeWays]

Horrible doesn't begin to describe the awful coding. I've seen bugs as amateur as off-by-1 bugs in their pagination code. It's like the don't check it at all. If you've got 25 posts, and the page size is 25, why am I seeing a next button? Oh well, *click* (blank page comes up).

Not to mention random bug after random bug that makes navigation difficult to impossible at times. They're extremely lax input validation makes it possible for spammers to set up camp and add 50,000 friends, while appearing to have

Re:I bet it's myspace

[MikeFM]

I'd be more impressed if they could index every dirty picture on MySpace and copy them all out so you could look at them in some linear way without having to work through all that annoying crap about peoples lifes. Gee at least that'd be useful.

Legal Implications

[eldavojohn]

In LiveJournal's TOS [livejournal.com], they state:

JOURNAL CONTENT

Guidelines for posting to your online journal shall be as follows:

1. All Content posted to LiveJournal.com in any way, is the responsibility and property of the author. LiveJournal is committed to keeping the Service in decent standing for all audiences but is not responsible for the monitoring or filtering of any journal Content. Within the confines of international and local law, LiveJournal.com will generally not place a limit on the type, or appropriateness of user content within journals. Those users posting material not suitable for all audiences must agree that they are fully responsible for all the content they have posted anywhere on the service. Should content be deemed illegal by such law having jurisdiction over the user, LiveJournal.com is committed to submitting all necessary information to the proper authorities; ....

So it sounds like they might be in trouble with people losing property, however also in the TOS:

MODIFICATIONS TO SERVICE

LiveJournal.com reserves the right to modify or discontinue, temporarily or permanently, the Service (or any part thereof) with or without notice at any time. You agree that LiveJournal.com shall not be liable to you or to any third party for any modification, suspension or discontinuance of the Service.

And there are other parts that make it sound like LiveJournal would never be in trouble for this unauthorized access parts. But really, who would bother to post their thoughts and words on a site that has no garauntee of saving them? At any minute, LiveJournal could format its servers and databases and start over with no one able to say anything.

Re:Legal Implications

[porkThreeWays]

This may apply to the free service, but it would never fly for their pay service (I think they still have a pay service anyway). Just because you write something doesn't make it legal or enforcable. Lawyers usually write this sort of garbage and write it in a manner which seems to obsolve them of any sort of legal responsibility ever. In the real world many of these terms don't stand up in court.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Legal Implications

[Max Threshold]

That's why there are personal backup clients for anyone who cares.

What a DANGEROUS thing to do...

[PortHaven]

How many livejournalers are unstable?

Whatch, some overly depressed LJ'er is going to flip out and take a sledgehammer to the skulls of the perpetrators. Very dangerous to mess with the jouranls of unstable people.

*click*
*cluck*
*cluck*
*cluck*
*cluck*

Just ignore the sound of me loading rounds into my clip...you didn't hear that...

Re:What a DANGEROUS thing to do...

[RollingThunder]

The perpetrators just need to make sure they never visit the victim's parent's basements.

Re:What a DANGEROUS thing to do...

[rkanodia]

*click*
*cluck*
*cluck*
*cluck*
*cluck*

Somehow, I don't think they're going to be very afraid of the mechanical chicken you just activated.

Oh no!

[BigZaphod]

from the article:

Bantown claims to have figured out a way to subvert that test, and to have even released a free, open-source program that others could use to do the same.

I like how it was pointed out that this little program is "open-source" almost as if that's a bad thing.

Well...

[PornMaster]

It means that people can see how it's done and try modifying it, instead of just running a binary.

In the same way that having the source can be good when used in positive ways, you've got to admit that it's also bad when used in negative ways.

Re:Oh no!

[Billosaur]

Bantown claims to have figured out a way to subvert that test...

CAPTCHA images are useful, but not unbreakable. If they were planning on using that as their only line of defense against scripts, they were really kidding themselves. Simple distorted and discolored text is difficult but not impossible to crack. The CAPTCHA Project [captcha.net] is working on more sophisticated forms, using multiple words, image groups, and even audio.

Re:Oh no!

[brontus3927]

Care to point out some of these cracking tools? I'd really like to be able to join a yahoogroup in under 3 tries

Re:Oh no!

[starwed]

Livejournal itself is open source, but I rarely see that mentioned.

Is Six Apart able to deal with this properly?

[mpontes]

I've been following this lately, and Six Apart's behaviour on this situation seems quite lacking. If what the article says is true and bantown have been just stealing cookies, the only measure they took, a recent change in LJ's subdomain policy [livejournal.com] seems quite pointless, since cookies are binded to .livejournal.com, anyway.

They also don't tell us which browser is affected on the newspost. How can we be safe if we are not informed? Can Six Apart actually deal with this in a professional way? I've been noticing LiveJournal is really slow and it hangs a lot lately. It seems that they know nothing about security and are just randomly mashing buttons in a attempt to hit the nail in the head.

Is Six Apart that incompetent that they can't prevent such attacks after they have been going for days, or is this bantown group really that good?

Re:Is Six Apart able to deal with this properly?

[davidsyes]

First of all, NONE of my e-mail or forum memberships log in automatically. Even though I live alone and even tho my desktop automatically locks (and, I CTRL + ALT + L when I leave before the screen saver locks). I purge the cookies after each site logon, even when I switch between two IDs on the same servicing site.

On a site of which I have a membership, I logged out, closed the tab for that site, went into: /home/username/.kde/cache-username/http/letter-of- site-being-talked-about

and then disconnected the

Re:Is Six Apart able to deal with this properly?

[Max Threshold]

The LiveJournal development and support staff have always been incompetent. In the past, they've compensated paid users with extensions on their subscriptions because of extended service problems they didn't seem to know how to fix. Most recently, they moved their servers from Seattle to L.A., and for the next month, nobody was receiving their comment notifications. They claimed to have fixed it, then realized they hadn't, then sort of brushed it under the rug. I'm still missing all my comment notifications from the month following November 22, 2005. (And there's no other way to follow threads in communities.)

In many ways, LiveJournal is becoming one of those sites that people only use because it's well-established. If it were new, the glaring problems with the software that runs it would leave it DOA... much like Photo.net and Slashdot.

Ahhhhh security.... in Web 2.0 land

[TedTschopp]

As we move more towards applications that depend on the JavaScript enabled client (AJAX and all his relatives) we will see more of this hacking.

On the bright side, it will eventually get people to code securely in a non-trusted enviroment becuase the source code is not only available, but changeable.

Sadly, there will be a bunch of rough lessons between that wonderful future and what we have right now, espeically with all the focus on WEB 2.0 and Ajax.

Re:Ahhhhh security.... in Web 2.0 land

[Bogtha]

As we move more towards applications that depend on the JavaScript enabled client (AJAX and all his relatives) we will see more of this hacking.

I wouldn't say that. Cross-site scripting is usually caused by user-supplied data being inserted into a page improperly. That's a problem with the bit that generates the HTML. Using more Javascript on a page doesn't change that; a page can use no Javascript whatsoever and still be vulnerable to cross-site scripting attacks.

Re:Ahhhhh security.... in Web 2.0 land

[aztracker1]

I don't see how it will necessarily be *more* dangerous than today... simply hit some main points.. strip script tags altogether from user input... or detect/escape them. with link tags, remove them if the href starts with "javascript:" and third, remove on* event attributes from any user inputted tags... issue resolved (for the most part)...

The problem isn't the level of javascript in a site, the problem is checking/validating user input. This is something most developers, especially professional ones, should know.

Re:Ahhhhh security.... in Web 2.0 land

[Gyorg_Lavode]

It seems to be fairly hard to remove javascript from input where other tags are allowed. By removing things you introduce other things. And web browser parsing becomes even more complex.

Is there an easier way to check for injections on rendering of the data rather than on saving of the data?

Re:Ahhhhh security.... in Web 2.0 land

[TedTschopp]

Is there an easier way to check for injections on rendering of the data rather than on saving of the data?

Actually no, you want to check on input, and when you move between tiers. Something that is valid in the client, might be a problem in the application tier or the data tier. And as someone someplace else stated, never trust input. So your database would validate the information before its stored, your application would check the data (from the client and from the database) when it is passed into that

Re:Ahhhhh security.... in Web 2.0 land

[psocccer]

In general when looking at restricting things I find it's better to determine what is ok instead and only let through those things you know are not harmful. For example, maybe you wrote a website in 1998 that let users post to a guestbook, so you filtered out javascript, frames, etc. Well along comes xhtml+css and now there's new ways to embed javascript, so you have to update the things you strip out. You are now constantly reacting to the changes or extensions of the specification which may result in m

Re:Ahhhhh security.... in Web 2.0 land

[Stalyn]

I think the best solution is to replace html tags with "&lt" and "&gt" in all user input. If you want users to format their output use a markup language you define or something pre-existing like Textile [textism.com]

Re:Ahhhhh security.... in Web 2.0 land

[merreborn]

My father's been designing multiuser apps since the '80s on quantumlink.

He taught me a simple, valuable lesson that programmers ignore every day, often with harsh consequences.

DON'T TRUST THE CLIENT.

There's never a guarentee that the computer your server is communicating with is running client you wrote, be it in 6502 assembly or Javascript.

Even more appalling...

[Orrin Bloquy]

...they hacked into my LJ and corrected all the meter in my "I am sad/I want to die" goth poetry!

Re:Even more appalling...

[starwed]

I just don't get the massive amounts of these jokes that appear on slashdot. Almost everyone I know uses LJ, and none of them use it to post goth poetry. They just use it as a blog...

Details are scarce.

[Peganthyrus]

It would've been nice if LJ's news post on starting to fix this vulnerability had said which "popular browser" was affected.

Also, I somehow find myself suspecting that the anonymous person calling this 'Bantown' group 'notorious' is probably a member of it.

Details are scarce; all I could find in the LJ_Dev community relating to this wasone post about the effects of the first phase of the fix [livejournal.com]. Especially check Brad's comments.

Re:Details are scarce.

[tsu doh nimh]

Looks like this wasn't really a browser problem. I just spotted this in the comments section of the Post's story, probably written by the author:

"Wiredog -- Shoot, I forgot to address that in the posting. LJ considered the flaw related to a Firefox problem, but Bantown says that's not really the issue here. From my discussion with the Bantown people: "Livejournal assumed the majority of our javascript injection attacks involved malicious code implanted in style sheets or user posts, and they have heavi

Great!

[blake3737]

Great! While they're in there hacking around they can fix all the spelling errors and bad grammer so prolific in LJ

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Great!

[mattmacf]

...all the spelling errors and bad grammer so prolific in LJ

You realize where you're posting this, right?

Hackers 1, Dancing JS Jesus: 0

[192939495969798999]

If you want to put tons of dancing Jesus's on your page, and you get hacked, is it really that big a surprise? I'd be tempted to hack someone's blog just to shut off the Dancing Jesus on every post.

But if you get hacked for Peanut Butter Jelly Time, now there's a travesty!

Seen on a hacked page

[dkleinsc]

Current mood: 0wned

MySpace

[phalse phace]

[Bantown] group members said they plan to turn their attention to looking for similar flaws at another large social-networking site.

[ says to himself ]
Please let it be MySpace. Please let it be MySpace.

MySpace Already Got Hit by XSS Worm

[miller60]

MySpace has already been hit with a cross-site scripting worm [wormblog.com].

Bantown! (sung in the Petula Clark style)

[digitaldc]

When your site is down & Livejournal's making you angry
You can always blame - Bantown!
When you've got blogs, all the noise and the worry
Seems to stop, I know - Bantown!
Just listen to the music of the vulnerable website
Linger on the domain where the CSS is not right
You only lose!

The lags are much longer there
You can see all your troubles, see all your fear
So go Bantown! things'll be worse when you're
Bantown! - no security measures, for sure
Bantown! - everyone's waiting on you!

Re:Bantown! (sung in the Petula Clark style)

[Control Group]

Wow

Nicely done.

Wish I had modpoints.

Re:Bantown! (sung in the Petula Clark style)

[digitaldc]

Nicely done.

Thanks, Petula Clark and Death Metal have always had a huge influence on me.

This is Cross Site Scripting

[mrkitty]

I've written an FAQ on this type of attack which can be found below.
The Cross Site Scripting FAQ [cgisecurity.com]

Long Standing Xanga Vulnerability

[gasjews]

The GNAA Security Center [www.gnaa.us] released working exploit code for the Xanga [xanga.com] blogging service (which, I might add, predates MySpace by quite a long time, and maybe LJ too).

This exploit [grok.org.uk] works because Xanga lets users insert Javascript codes into their websites. A malcious user just needs to add the code to their "Look and Feel" control panel and then the Javascript code will send the login cookies of anyone who visits their page to a remote server. Xanga has rudimentary JS filtering of "bad" functions but these filt

frequent problems

[headonfire]

since the six apart acquisition and the moving of the data center from seattle to san francisco, livejournal has actually had perpetual technical issues. User pictures being jumbled, comment notification emails broken(this has been a reoccuring one), problems during peak load hours, community comments, and the like. Every day I look on in greater dismay as admin messages telling me something else is broken or having troubles. I like the service enough to pay for it, so I can keep in touch with old friend

I'm pretty sure they're not bluffing...

[metalpet]

...about the 16 other XSS attacks.

I've reported an XSS flaw exploitable over IE to LJ over 2 years ago, and the flaw is still exploitable to this day.
(Yes, the email report was read by the right folks over at LJ.)

I'm slightly overdue to send them my yearly reminder, I think. (I should probably set up a cron job for that.)

That's not how I roll

[metalpet]

Although LJ is currently holding the record in the "most ignored security bugs I reported" category (clocking at 25 months. previous holder was MS, and that was only 2 months), my usual disclosure policy is to not publicize details of a bug once it has been acknowledged until after it gets fixed.
XSS on LJ seems minor enough not to warrant an exception.

Re:That's not how I roll

[xlv]

my usual disclosure policy is to not publicize details of a bug once it has been acknowledged until after it gets fixed.

You could contact their security team again and tell them you'll post to BugTraq or other security list if they don't give you a timeframe for the fix prior to the deadline. That way you'd still give them a chance to correct the problem but also prevent less ethical people from exploiting the bug.

That's the full disclosure debate thing all over

[metalpet]

Having been on both sides, as a security bug reporter, and as a web company employee having had to figuring out how to handle those exact kind of reports, I try to be reasonable on both sides.
I agree there are situations where public disclosure of an unpatched vulnerability is the right thing to do.
In the LJ case, the underlying problem, in my opinion, is that their HTML parser attempts to filter bad things using a blacklist approach, rather than a whitelist.
If I go public and effectively force them to scra

And now,

[Council]

Cue the 500 posts about "haha, sucks for those Livejournal-using emo fucks" which help (a) put me off of Slashdot for a few days, and (b) obscure the actual information about how I should secure my account or what vulnerabilities these break-ins made use of.

I'm taking a deep breath and trying not to get in an argument with the "Livejournal is stupid" crap that will get modded funny. Just be aware that it gets on the nerves of those of us who use it, and there will inevitably be posts by people defending LJ, and then ridiculous anti-LJ evangelizing posts (as if anyone commenting on Slashdot doesn't know their way around blogs).

If you're posting anti-LJ jokes, please try to make them funny. And if you see useful information about the exploits, mod it up.

Re:And now,

[Council]

as an internet community gets larger . . . if you don't do something to discourage them, they'll continue being idiots.

Generally, you can't fix other people. Specifically, you definitely can't stop anonymous interent people from being idiots by calling them idiots.

Arguing with strangers trolling online is like getting in a boxing match with a giant wall of flowing molasses -- it feels good to throw the first few punches, but then you realize you're getting all this gunk on your hands, and then you're stuck

Oh, the irony

[sboyko]

Isn't it funny how people post here about the angst-ridden LJ'ers and yet have all day to moan and complain here? Is your angst just directed toward different things?

And yes, I'm aware of the irony of me whining about other users on Slashdot. And yes, I have a LJ account.

Bantown contact info

[Anonymous Coward]

The Bantown kids are notorious troublemakers. #bantown is juped on several EFnet servers and many networks because of their "Banbot", which invites tens of thousands of users to bantown and then kickbans them. They are pretty funny though, and I have enjoyed some of the time I have spent in their channel (when they aren't scrolling ANSI penis and goatse). You can find them at irc.rizon.net #bantown and they have a tollfree contact number at 888-LOL-WHAT. Yes, that number is real and works.

Serves LJ right...

[Khyber]

Using Javascript was just ASKING for someone to bust in and screw with your stuff.

Funnily enough, a couple months ago LJ told me my password was too insecure. I told them they had no right to talk to me about security.

Looks like I was right after all.

For those curious

[cythrawll]

For those curious what was done with said accounts, they were also used to post a number of comments on the following posts: here [livejournal.com] here [livejournal.com] here Look at the comments.

Online banking and Javascript

[msbsod]

This is not the first time that Javascript-related vulnerabilities caused trouble for a lot of people and it will not be the last time. Therefore people with common sense would like to simply turn off Javascript in the browser setting so that for example bank account information (cookies etc.) cannot be revealed to malicious web sites. But, without Javascript enabled most bank web sites cannot be accessed. By law everybody who likes to operate a car has to pass a driver's test. Why is not require at least c

Re:Livejournal hacks?

[gEvil (beta)]

I've seen your pictures and can definitively say that the hackers were doing the world a service.

Re:Livejournal hacks?

[Max Threshold]

Something like that. I found out about this whole incident about a week ago when visited the journal of a known non-troll in one of the LJ communities I read. Bantown had taken over her journal and posted a picture of someone fucking a plucked chicken carcass.

Re:Mood: Sad :(

[DaveJay]

Of COURSE XSS scripting attacks can go away, if programmers would take the most basic of precautions. All you need to do is make sure that ANY input you accept from a user ONLY has allowed characters.

This is a problem of ignorance ("I didn't think of that!") and laziness ("oh, nobody would bother figuring that out"), not of technical problems.

allowed characters

[brlewis]

If you want to allow users to put in any HTML except for malicious javascript, it gets a little more tricky than that.

Re:allowed characters

[plover]

That's why you whitelist the HTML tags you support, and then you still sanitize the users' data. Your permitting random HTML allows skript kiddies to take advantage of new exploits as they are revealed.

Even if the page was secure when you wrote it, the latest version of Apache (OK, IIS) might have a hole in the new FOO tag. You'd have to know to revisit your sanitizing routine to plug the newly discovered holes, and you'd need to do it fast before you're hit by the bad guys. A whitelist of nice safe ti

user shouldn't have to worry

[brlewis]

It should be that the worst consequence of clicking a mysterious link is seeing something you don't want to see. Preventing XSS requires more work than it probably should when you want to allow a subset of HTML. Putting the onus on the user isn't right even though the alternative requires a lot of work.

Re:Wonder why they haven't notified Californians..

[mmkkbb]

My account had a bogus email address after it got compromised, until I changed it (and then it was suspended) They are probably holding off everything until the situation is more under control.

Re:Easy to tame the dogs

[PastAustin]

The title of a post on that blog was: zomg Gr0w UP

Here is the text:

This is the most immature thing evar and I am glad to be no part of it. I am so sad when I see internet abused this way.

You terrar faggots should stop flying your pooplanes(?!) into the lj towers before we get mad and invade your butts(?!?!?!?!). like you are an iraq we will be up there in your anustowns. thank you

I'm not going to complain about anyone's typing on /. ever again... My god... Talk about immature.

Re:Hack This Sight

[PastAustin]

I have a sight for them to hack: www.yafro.com

Imagine a photo blog with the mental age of 12, but the environment of a singles bar and the insecurities of all attention whores concentrated in one place. Shouldn't happen, should it? Well it has and it's called Yafro. Please h4x0r this sight friendly hackers. ;P

I think your sight is already hacked because you're too blind to realize that sight and site are two different things. Any just because they're pronounced the same doesn't mean they are the sa

Re:Hack This Sight

[eno2001]

That's really asstute of you to notice that. Here is my business plan: I have some softwares you might want for free but it'll cost ya. My softwares will help you grow your own busyness at hoam using the simple tool of emails. The more emails you send the more money you can make. The profit margins oare all up to you my friend. Some of my partners have made millions with my softwares. And you can too. Just ask me how.