Sigh

Jun. 12th, 2004 10:36 am
bryant: (Default)
[personal profile] bryant
I'm not clicking on any links in LiveJournal entries until they fix the security hole. Recommend you don't either. Long story short, it's immensely easy to set up a page which, when you view it, will post something to your journal. That something can include a link to a page which, when you view it -- well, you get the idea.

I don't see any password theft vulnerabilities but I haven't really put too much effort into thinking about it, so I could be wrong.

I also have no idea how this gets fixed.

Sigh.
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Date: 2004-06-12 02:45 pm (UTC)
gentlyepigrams: (Default)
From: [personal profile] gentlyepigrams
That was one of my first thoughts about that meme--my first one other than "huh?", in fact.

Date: 2004-06-12 02:47 pm (UTC)
bryant: (Default)
From: [personal profile] bryant
There's a decent approach to fixing it here:

http://www.livejournal.com/community/lj_dev/641972.html

I'm going to post and urge bradfitz to not worry about the poorly implemented clients which may suffer as a result of implementing the fix.

Date: 2004-06-12 02:57 pm (UTC)
gentlyepigrams: (Default)
From: [personal profile] gentlyepigrams
Yeah, pretty much. Use the API, Luke!

Date: 2004-06-12 02:48 pm (UTC)
From: [identity profile] jeregenest.livejournal.com
Yeah, its a little problematic. Definitely going to cause me to be a lot more careful in following links from Livejournal.

Date: 2004-06-12 02:55 pm (UTC)
bryant: (Default)
From: [personal profile] bryant
Yeah. A little more thought -- you could automatically delete someone's journal with one of these.

Date: 2004-06-12 04:28 pm (UTC)
From: [identity profile] mgrasso.livejournal.com
If one were not logged into LJ, this meme could do no damage, correct?

Date: 2004-06-12 04:36 pm (UTC)
kodi: (Default)
From: [personal profile] kodi
I don't see any way that it could.

Well, presumably, if it knew someone else's password, it could log you in as them, and make your computer post on their journal, or possibly delete it.

Date: 2004-06-12 07:46 pm (UTC)
bryant: (Default)
From: [personal profile] bryant
Correct.

Date: 2004-06-12 04:43 pm (UTC)
kodi: (Default)
From: [personal profile] kodi
Hey, you know what browsers need? A "View source of link" in the context menu. That would rock.

At any rate, yeah, the random auth key is a good solution, although it would be nice if they made it so you could have more than one key checked out at once - I often have 3 or 4 "post a comment" tabs open at the same time.

Date: 2004-06-12 05:30 pm (UTC)
merlinofchaos: (Default)
From: [personal profile] merlinofchaos
Could you post a link to a source or something? This is the first I've heard of it, and I'm curious for more information.

Date: 2004-06-13 01:09 am (UTC)
From: [identity profile] head58.livejournal.com
But if we're not supposed to click on links in LJ entries...

Date: 2004-06-12 07:48 pm (UTC)
From: [identity profile] janne.livejournal.com
Learned about this from somebody who mailed the apparent originator of (one of) the LJ viruses. The reply is worth reading: http://www.livejournal.com/users/solarbird/201739.html

Date: 2004-06-12 08:15 pm (UTC)
gentlyepigrams: (Default)
From: [personal profile] gentlyepigrams
In addition to "this is interesting" and the moron one, there's now one that posts a goatse sort of image (I don't know if it's the original or not). They really need to fix that hole ASAP--it's been what, a day, since the sausage meme started and now it's everywhere.
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Profile

bryant: (Default)
bryant
Innocence Consulting

October 2025

S M T W T F S
    1234
567891011
12131415161718
19202122232425
2627 28293031 

Most Popular Tags

Page Summary

Active Entries

Style Credit

Expand Cut Tags

No cut tags
Page generated Jan. 1st, 2026 10:52 am
Powered by Dreamwidth Studios