?

Log in

No account? Create an account
Previous Entry Share Next Entry
LiveJournal security
lj-PWN
soopageek
ou know all of those nifty security changes LiveJournal has been making lately? What they neglected to tell you is why.

In case you don't follow the link to Bantown's Encyclopedia Dramatica entry from the Washington Post security blog:

"In order for the account takeovers to end, Bantown demands that Denise Paolucci post on the front-page LiveJournal news that LJ has been owned by Bantown."



ho is Denise Paolucci? Glad you asked. Apparently, the whole ordeal is the result of a vendetta that Bantown has for Ms. Paolucci.

Personally I find the staggering claim that they swiped 900,000 account passwords a little hard to swallow, but if it is true, it's no wonder that LiveJournal has been nagging about passwords for months and even freezing accounts. Also if this is true, that means you people click on ANYTHING. Sheesh. Considering there's only 2 million active LiveJournal accounts, they have a 50% success rate at obtaining the information necessary to hijack an account. Pretty impressive if you ask me.

People wonder why I'm so cautious about putting too many real-life things out into the internet. This is why ladies and gentlemen: somewhere in some massive file of stolen cookies lies my login information to LiveJournal. The concept of "friends-only" and "private" doesn't really mean much in light of that.

  • 1
Personally, I really don't buy the 900k figure. Mathematically, it's just too hard to reach.

know from posting photos in communities that a good link can generate tens of thousands of hits in a matter of days as it propogates through LiveJournal and the internet at-large.

I host photos with a program that utilizes PHP scripting to serve the photos. It wouldn't be hard to hack the script to make it execute programs on my webhost, or anything I wanted it to really (assuming I had the coding knowledge). Simple scripts could easily be written to serve a photo in an entry and the mere act of loading it could trigger all sorta of behind the scenes executions.

The real issue here is not what someone did or didn't click: I was being facetious with my assertion that people will click anything. Thee mere loading of a graphic from the internet can trigger all sorts of things if the person hosting it wants to. What is at issue is LJ's security and browser security.

I haven't gone in-depth into the nitty-gritty of what they did, but there are several indications that the "problem" was limited to people using Firefox and other Mozilla-based browsers, so that right there cuts down the potential victims to smaller group.

Otherwise and on more historical note; I was one of the first to employ cookies and I started using them back, right after Bill Dortch invented the things and have used them in several business models. I don't know the particulars of what makes Firefox different in this instance, but cookies were designed to be only read by the domain that installed them. It was and have remained part of their security from the very beginning.

So, my interpretation has been that they claim to have gotten 900k lj-users, all using Firefox or Mozilla to click on a link, possibly malformed, but I don't know and they used a script from within LJ or from within the browser's locationbar to read the user's cookies. I've been using cookies for a long, long time and so does every major website in the world. If somehow the original cookie implementation had been perverted so that my bank's cookies could be read from a porn site, it would be major news.

I do have a couple of guesses, as to what happened and LJ's side of the "problem" appears to be because that they hadn't thought of every way to exclude script, and firefox has an additional to use it. But, if it weren't for the combination of these two factors, it'd be much bigger news, affecting every major commercial site in the world and everything would go out the window.

OK - That was me. I forgot that I purposefully logged-out last night. Sorry.

  • 1