Urgent security notice: embedded content security breach

[foxfirefey]

As far as known at this time, LJ has had a security breach with the embedded content domain lj-toys.com (not to be confused with the third party domain, ljtoys.org.uk). This breach resets the icon and metadata of your most recent post and sets the security to public, along with inserting malicious Flash content into the body of the post, within

Comments

[afuna]

From when it happened to me, I saw on my top entry in editjournal (which was backdated) four lj-embed tags:

.

And when I edited the entry, something about simplecdn. Your embed ids will differ, obviously.

[oconel]

I kept wondering Avast kept telling me it had stopped a virus while surfing LJ. I guess I couldn't see the flash because of Adblock?

[foxfirefey]

I'm not sure if AdBlock would block this unless it was blocking all Flash content, as I don't think the domain is included in the usual ad subscription filters. The Flash didn't actually load anything to view, it just ran the code.

[oconel]

*nods* Then it probably was the antivirus software blocking it.

Thanks for the information.

[rydra_wong]

The Flash didn't actually load anything to view, it just ran the code.

So it wouldn't show up as the embedded content placeholder? I have Flashblock and NoScript, but will normally click to enable content I want to watch -- but it sounds like this wouldn't show up as anything visible ("object width="1" height="1"", etc.)

[platypus]

Yep, that's exactly what got embedded on my last entry, save with different lj-embed id numbers. Except I think it was hours, not minutes, after I posted.

[janinedog]

It wouldn't happen until you viewed an entry that was infected (probably on your friends page, but anywhere on LJ that the entry appears would work).

[foxfirefey]

Correction duly noted!

[kel_reiley]

do i need to worry about my journal being hacked? should i change my password or anything?

[rahaeli]

Based on analysis of the malicious code, it didn't do anything but a). harvest your email address and b). edit your entries to spread itself further. There's no way it could've gotten your actual password, but it may have gotten your journal's cookies (little pieces of information on your computer that identify you to LJ), which would allow whoever's behind it to pretend to be you to LJ.

The safest thing to do, if you were hit, is to go to Manage Logins, expire all your sessions, and then log back in, after you clean up your journal entries to remove the malicious code. Doing this will eliminate all possibility that someone malicious will have access to your journal. You don't need to change your password.

[kel_reiley]

ok, i've done that, changed my password anyway just in case
what does 'harvested my email' mean exactly?

[rahaeli]

Put it on their list, for whatever purpose they're building a list of email addresses for.

[charliemc]

Thanks so much for posting this!

I had no clue what was up and actually did a mini-rant about items being disabled on my Profile page.

It's great to know about this -- and to help spread the word!

[foxfirefey]

It's not as urgent as it used to be, at least--it's a very recent development. The infection is contained as far as I know, but people need to know to check their latest entries, because friended entries made public with no warning can cause no end of grief!

[charliemc]

...because friended entries made public with no warning can cause no end of grief!

No kidding!

Not that I ever put up entries that I wouldn't want EVERYONE in the world to read, or anything (right). (heh) Which is why I about DIED when I read about it.

People like you save others a lot of sorrow -- thanks again!