Comments | meta_lj: Urgent security notice: embedded content security breach

foxfirefey in meta_lj

Urgent security notice: embedded content security breach

Sep 23, 2009 00:03

As far as known at this time, LJ has had a security breach with the embedded content domain lj-toys.com (not to be confused with the third party domain, ljtoys.org.uk). This breach resets the icon and metadata of your most recent post and sets the security to public, along with inserting malicious Flash content into the body of the post, within ( Read more... )

breaking news

Comments 63

turlough September 23 2009, 14:39:39 UTC

Okay, as a completely clueless-when-it-comes-to-viruses-and-stuff-like-this Mac user I have to ask: Does this affect Macs too? (Not that I'm in much danger since I've got placeholders, Flashblock, AND NoScript activated and didn't click on any embedded content yesterday, that I can remember in any case :-)

sofiaviolet September 23 2009, 14:42:44 UTC

Yes, it would also affect Macs. This exploit doesn't care what operating system you use, since it only touches your browser and LJ.

-another Mac user

turlough September 23 2009, 14:44:59 UTC

I suspected this might be the case but I didn't know so thank you!

msilverstar September 23 2009, 15:51:21 UTC

I think if you don't load flash and have scripts turned off and didn't click on a video during the problem window, you're probably OK.

starlady38 September 23 2009, 15:44:09 UTC

Thanks for these links.

mauser September 23 2009, 19:29:05 UTC

Knowing the server that the script sent addresses back to, is it possible to find and prosecute the culprits?

(Personally, I was never too pleased to see the embed code I pasted in my posts modified behind my back to include LJ Toys. I never knew what that was about anyway. But it clearly made a bright idea turn out to be dumb, which is so often the case).

foxfirefey September 23 2009, 19:36:09 UTC

I don't know--it looks like you can set up a free trial account on the SimpleCDN service without anything like a credit card number, and even if they did require one, it could be stolen. So it might not be possible to trace them down.

In itself, embedding things in a different domain is not a dumb idea--for instance, Dreamwidth does the same thing for security reasons--but as far as I can tell from people who have been investigating, LJ's made some poor configuration decisions that made this possible.

mauser September 23 2009, 19:58:24 UTC

Didn't know it was SimpleCDN. It's also true that scammers like that frequently use hacked or insecure third party systems for their data dumps. If LJ and SimpleCDN worked quickly enough to delete the data, it's possible to delete it all before the scammer has a chance to harvest it.

I still don't know how anyone benefits from altering the embed code I copy from Youtube to include lj-toys. And I still have no idea what that was supposed to do. I must have missed the announcement of how that was a good thing.

janinedog September 23 2009, 20:20:07 UTC

The embed code itself is not altered. Instead, an iframe to lj-toys.com is put into your entry, and the embed code is run from there, instead of directly from livejournal.com. This prevents malicious code that may be in the embed from accessing livejournal.com cookies.

Thread 5

ebdim9th September 24 2009, 00:07:44 UTC

Please don't block access to my home live journal page by forcing me to consider guest whatever that was. If I ever want it I'll go searching through your tools and services for it. It's making it harder for me to see if anything's happened to that part of my account.

thanks, Phil

foxfirefey September 24 2009, 00:11:38 UTC

I am confused by this request and do not quite understand what it is asking for?

ebdim9th September 24 2009, 00:22:20 UTC

Whenever I go 'home' the page goes grey and says there's a new function, there's no way to get around it on that page. It seems to want me to check out some new way to register guests, another kind of app, but that is not something i want to consider accepting or refusing right now. I'm more interested in checking into that page and seeing if there's any sign of that malignant flash code infection... I've gone around another way, but it would have been easier to go through the 'home' page.

foxfirefey September 24 2009, 01:35:58 UTC

Okay, information on that dialog can be found here:

http://news.livejournal.com/116933.html?format=light#guests

My suggestion is to refuse it right now. It won't affect your LJ experience that way, and you can always change the setting later if you change your mind.

problem is for lj-toys, not with ljToys. alobar September 24 2009, 09:34:04 UTC

When I read your post, I wrote an e-mail to ljtoys.org.uk. I received the reply below. Having two utilities with almost identical names leads to confusion ( ... )

Re: problem is for lj-toys, not with ljToys. foxfirefey September 24 2009, 12:42:13 UTC

You're right--I was confused, too, about that when I very first heard about this, before I made this post, and I should have made it more clear when I wrote it (since some people aren't going to know the different domains, or what LJ's embedded content domain means)! It should be more obvious now, thanks.