Network News

X My Profile
View More Activity

Account Hijackings Force LiveJournal Changes

LiveJournal, an online community that boasts nearly 2 million active members, on Thursday announced sitewide changes for users logging into their accounts -- changes prompted by a hacker group's successful hijacking of potentially hundreds of thousands of user accounts.

In an alert posted to its user forum, LiveJournal said it was instituting new login procedures for users because "recent changes to a popular browser have enabled malicious users to potentially gain control of your account." Company officials could not be immediately reached for comment. I also put in a query to Six Apart, which owns LiveJournal (and the service we use to produce this blog), but have yet to hear from them either.

An established hacker group known as "Bantown" (I would not recommend visiting their site at work) claimed responsibility for the break-in, which it said was made possible due to a series of Javascript security flaws in the LiveJournal site.

A trusted source in the security community put me in touch with this group, and several Bantown members spoke at length in an online instant-message chat with Security Fix. During the chat, members of the group claimed to have used the Javascript holes to hijack more than 900,000 LiveJournal accounts. (Although I quote some of them in this post, I have chosen to omit their individual hacker handles -- not because we're trying to protect their identities, but because a few of them could be considered a tad obscene.)

LiveJournal's stats page says the company has more than 9.2 million registered accounts, but that only 1.9 million of them are active in some way. The largest percentage of users are located in the United States and Russia.

Bantown members said they created hundreds of dummy member accounts featuring Web links that used the Javascript flaws to steal "cookies" (small text files on a Web-browsing computer that can be used to identify the user) from people who clicked on the links. Armed with those cookies, the hackers were then able to either log in as the victim, or arbitrarily post or delete entries on the victim's personal page.

"It is impossible to know how many of these are nonfunctional, but we have an 85% success rate on usage, so it may be fair to state that 85% of those are valid," one member of Bantown told Security Fix. "However, we have only used approximately five hundred of these cookies so far, so it is impossible to tell whether this sample is statistically valid. Still, a massive number have been compromised."

Normally, sites like LiveJournal prohibit the automated creation of accounts by using so-called "captcha images," online Turing Tests that require the user to read a series of slightly malformed numbers and letters and input them into a Web site form before a new account can be created. The idea is to stymie automated programs created by spammers who try to register new accounts for the sole purpose of using them to hawk their wares.

But Bantown claims to have figured out a way to subvert that test, and to have even released a free, open-source program that others could use to do the same.

According to Bantown, the group has been doing this for months, and LiveJournal was only alerted to the problem after the specially crafted URLs the hackers created started setting off antivirus warnings when some users clicked on the links.

"What eventually led LiveJournal to discover and patch our first vulnerability is that McAfee's full [computer security] suite actually has some preliminary protection against cross-site scripting attacks," one group member said.

It is unclear whether LiveJournal has managed to close the security holes that the hackers claim to have used. The company says it has, but the hackers insist there are still at least 16 other similar Javascript flaws on the LiveJournal site that could be used conduct the same attack.

Group members said they plan to turn their attention to looking for similar flaws at  another large social-networking site.

Anytime you have large groups of computer users aggregating at such places, they are going to be seen as a target-rich environment by hackers and hacker groups. Over the past several months, a number of exploits have been released to help users or attackers circumvent the security of online forums.

So far, the damage has been mostly harmless. The most high-profile case so far came in mid-October when one Myspace.com user released a self-replicating computer worm that took advantage of Javascript flaws to add more than a million fellow users to his buddy list. A similar worm hit the online community Xanga on New Year's eve (there is also some strong language at this link.)

By Brian Krebs  |  January 20, 2006; 12:26 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Rep. Takes Aim at Cell Phone Record Sales
Next: Kama Sutra Worm Gets Nasty

Comments

"recent changes to a popular browser" WHICH BROWSER?!?! Firefox, IE, Safari?

Posted by: wiredog | January 20, 2006 12:58 PM | Report abuse

Wiredog -- Shoot, I forgot to address that in the posting. LJ considered the flaw related to a Firefox problem, but Bantown says that's not really the issue here. From my discussion with the Bantown people:

"Livejournal assumed the majority of our javascript injection attacks involved malicious code implanted in style sheets or user posts, and they have heavily audited this area for bugs. The changes they made were for a Firefox-specific bug-- they assumed it was the key to the XSS attacks that we were doing. Ours affect all browsers though, and we were not using this Firefox-specific vulnerability."

I'm sorry I don't have more info about the FF specific bug.

Posted by: Bk | January 20, 2006 1:03 PM | Report abuse

*shrugs* That's how spammers get your email. That's why you should always delete your cookies after going to password protected site.

Posted by: anonymous | January 20, 2006 2:53 PM | Report abuse

Surely if Bantown claimed responsibility for the attacks they gave some reason why. So: why? What's their point?

Posted by: Ayjay | January 20, 2006 2:55 PM | Report abuse

It's about time somebody did something to wake up LiveJournal. For people who don't know, LJ has a staff of moderators called "LJ Abuse" that behaves in a profoundly unprofessional manner when handling user complaints, copyright issues, user warnings/bannings, and spam. LJ Abuse is known for playing favorites, abnegating its own rules when making decisions, and actually harassing users who did nothing wrong except to criticize LJ Abuse.

Part of what bantown is doing is in response to LJ Abuse's behavior. Personally, I applaud bantown's efforts and I hope that it wakes up LiveJournal/SixApart to the massive social and technical issues (can anyone say "pls fix memories?") afflicting LJ today.

Posted by: rfjason | January 20, 2006 3:01 PM | Report abuse

In a not entirely unrelated matter, Livejournal has been vulnerable to XSS in IE ever since they started using their S2 style system.
I've reported some examples to them in december 2003, they have not been fixed in over 2 years.

Maybe they just forgot about it. Ah well, the sub-domain change should make writing a worm with it a little bit harder.

Posted by: Anonymous | January 20, 2006 3:06 PM | Report abuse

Ayjay -- I asked several members of the group that exact question, and they all came back with the same response: "For the LOLs."

Posted by: Bk | January 20, 2006 3:15 PM | Report abuse

You can ignore Rfjason's above comments. He's well known for being overly dramatic. I've had to deal with LJ-abuse several times, they've always been polite and professional.

Posted by: DS | January 20, 2006 3:18 PM | Report abuse

It's about time somebody did something to wake up LiveJournal. For people who don't know, LJ has a staff of moderators called "LJ Abuse" that behaves in a profoundly unprofessional manner when handling user complaints, copyright issues, user warnings/bannings, and spam. LJ Abuse is known for playing favorites, abnegating its own rules when making decisions, and actually harassing users who did nothing wrong except to criticize LJ Abuse.

Part of what bantown is doing is in response to LJ Abuse's behavior. Personally, I applaud bantown's efforts and I hope that it wakes up LiveJournal/SixApart to the massive social and technical issues (can anyone say "pls fix memories?") afflicting LJ today.

Posted by: rfjason | January 20, 2006 3:33 PM | Report abuse

Bantown seems to be associated with a bunch of people whose mission on the Internet seems to be to find, laugh at, encourage, and cause "drama", especially around Livejournal. LJDrama, Frienditto, Encyclopedia Dramatica, now this.

Amazingly enough, their antics cause them to run afoul of the people who handle abusive behavior on Livejournal. Fancy that!

Posted by: Anonymous | January 20, 2006 3:39 PM | Report abuse

Rfjason is a known troll - ignore everything the worthless scum says.

Posted by: me | January 20, 2006 3:40 PM | Report abuse

we did it for the lolz

Posted by: bantown | January 20, 2006 3:42 PM | Report abuse

asdf

Posted by: Anonymous | January 20, 2006 3:52 PM | Report abuse

So can we have the code?

Posted by: SheeEttin | January 20, 2006 3:58 PM | Report abuse

I totally agree with everything rfjason is saying. If Bantown is really doing this because of LJ Abuse, then I have no problem with it. You reap what you sow, LJ.

Posted by: jameth | January 20, 2006 4:23 PM | Report abuse

Right on RFJason! I've had nothing but idiots help me out through LJAbuse. According to them, the DMCA covers anything that anyone says is copywritten, whether the said image/text/whatsever was legally copywritten or not. Then, when you point out flaws in arguements, such as above, they tell you to go away and just sue the person.

Real winners. A+

Posted by: yo mom | January 20, 2006 4:37 PM | Report abuse

Jameth has a history of fanning drama on LJ. He's had run-ins with the abuse team. How strange that he doesn't like them!

Posted by: Anonymous | January 20, 2006 5:06 PM | Report abuse

Oh my god, these people need a hobby.

Posted by: Anonymous | January 20, 2006 5:39 PM | Report abuse

RFJason is NOT a known troll, but an American fighting for our rights as citizens. The LJ TOS is not enforcable by law.

At the drop of any word the VOLUNTEER LJ ABUSE TEAM COMPRISED OF 19 AND 25 YEAR OLD BUFFY FANS doesn't like, they permaban ANYONE AND EVERYONE THEY CAN, no matter the user's long standing in the LJ community and the NON LEGALITY OF THE BAN.

LJ Abuse has no real structure and interprets the LJ TOS and the LAW without knowledge of the actual LAW nor much else.

Removal of one's services through LJ by a volunteer that doesn't actually work for the service is NOT LEGAL.

We need a class action law suit against LiveJournal for all of the users that have been banned for nothing.

Posted by: Concerned Comrade | January 20, 2006 5:43 PM | Report abuse

Jameth and RFjasen just perpetuate the problem. This link is to a post in Jameth's journal http://jameth.livejournal.com/2075428.html

If what he posted is even from bantown, it sounds to me like a personal issue someone has with someone else, and has nothing to do with exposing any security issues.

And IF you are so unhappy with LiveJournal, why do you continue to use it?

Posted by: nonameLJuser | January 20, 2006 6:11 PM | Report abuse

One more thing I thought of after I hit post.
In response to being banned for nothing, playing favorites etc. Livejournal isn't a democracy, it's livejournal. You play by thier rules, even if they are changed 50 times a day or you don't play. Plain and simple. Stop whining and get a life. IT'S THE INTERNET for christsake.

Posted by: nonameLJuser | January 20, 2006 6:17 PM | Report abuse

To make the world a better place AND to stop the conspiracy. LJ wants everyone to be neat and nice with their hands in their laps. NO SUCH THING WILL HAPPEN. After all of us, there will be more and more and more.

Exposing the UNLAWFUL acts of LJ will make LJ a better place.

Posted by: Concerned Comrade | January 20, 2006 6:18 PM | Report abuse

LOLS AND DONGZ!

Posted by: bowl-o-lols | January 20, 2006 6:49 PM | Report abuse

I've seen LJ Abuse play favorites and ban people for no reason many times. When people pay to use a service, and that service has an abuse team made up of volunteers who act without oversight and are incapable of sticking to the site's TOS, no wonder they get pissed when their journals are suspended even when they broke no rules. Livejournal needs a wake up call.

Posted by: Epiphany | January 20, 2006 7:44 PM | Report abuse

Would Concerned Citizen be kind enough to tell us *which* law is actually being broken? Sheesh. "Illegal." Stupid kids.

(Oh, the LJ Abuse team is legendary for their stupidity, egocentrism and corruption that makes the LAPD look like a Girl Scout troop, but that doesn't make it illegal.)

Posted by: Concerned Shitizen | January 20, 2006 8:31 PM | Report abuse

a second bantown has crashed into the world trade center

Posted by: Anonymous | January 20, 2006 8:36 PM | Report abuse

I don't have anything to say about the issue. I just want more attention for my own journal, http://lima-pcp.livejournal.com/

I write funny stuff sometimes.

Posted by: lima_pcp | January 20, 2006 8:53 PM | Report abuse

I also want my 15 minutes of e-fame. It's long overdue.

Also, I'd like a date with Laetitia Casta and Kate Winslet.

Posted by: lima_pcp | January 20, 2006 8:56 PM | Report abuse

I don't think the LJ abuse team acts in any way illegally, but as far as customer service goes it sucks. They don't explain their actions, they apply the TOS inconsistantly, and they invent new rules (or stretch and twist their previous interpretations of the rules) whenever they wish. It doesn't surprise me that there are complaints against Livejournal with the Better Business Bureau because of this.

Posted by: C | January 20, 2006 9:27 PM | Report abuse

pwnd n lolurband!!1! gimme teh code...you done rong boy!

Posted by: pajanada | January 20, 2006 10:01 PM | Report abuse

wiredog: Firefox. Look into "-moz-binding" in CSS.

http://tinyurl.com/ca8pk

Posted by: Asleep | January 20, 2006 10:10 PM | Report abuse

It's Comrade, buddy.

Well, let's see. There are a multitude of reasons why the LJ TOS would not be respected in a court of law. These reasons mainly deal with paid users. If you pay for a service, and threaten to kill someone, sure you should not be allowed to use the site.

I guess my main beef is that although there is a TOS in place, the implementation of this is irregular. Also, volunteer non-employees of Six Apart are given authority to deny service on their behalf using these practices that are often fueled by personal feelings/thoughts, etc. This is also linked other parts of the site where un-paid volunteers are allowed to control the services of paid users.

Posted by: Comrade | January 20, 2006 10:15 PM | Report abuse

LJ Abuse sucks.

Free The Spoony and remove "final warnings" from all users of theljcirclejerk!

Posted by: biscman | January 20, 2006 10:55 PM | Report abuse

I agree with any and all efforts to make the LJ Abuse Team cry. I want my acount back plzkthx. I would greatly enjoy a class action lawsuit.

Posted by: yellow_finch | January 20, 2006 11:23 PM | Report abuse

Irregular application of law does not connote illegality, merely poor implementation. If a cop fails to give you a speeding ticket, that doesn't make speeding legal; it makes the cop incompetent.

Posted by: Anonymous | January 21, 2006 12:13 AM | Report abuse

Wait, so you (rfjason) think all these other people who are minding their own business having pointless journal comments with their friends need to have their info stolen because you have a beef with LJ Abuse?

Get a life.

Posted by: nifty | January 21, 2006 12:43 AM | Report abuse

Many of the people who were hacked GREETED US AS LIBERATORS. it is NOT just "dramacrats and 1337 haxx0rs" that run into problems with them. LJ Abuse's tyranny is documented as if it were historical fact in the Wikipedia entry for "LiveJournal"!

The LJ programmers have known about holes like these for a man-age, but are notoriously lazy. Anaylse the CVS system, and you'll see for yourself how little maintenance is done to the site. That is, until this anal blitzkrieg got them scrambling to their feet.

And what do they do for "security measures" when we finally -do- wake their pompous asses up? They give everyone subdomains (a paid account feature) and reward morons with underscores at the beginning of their name with free rename tokens. This gives you some insight into the complete ineptitude of the LJ staff: deciding to render paid accounts worthless in a time of crisis, with no apparent security payoff.

Everyone's saying "lol ur gay y do u care abt livejournal so much get a life d00d", and totally missing the point. Every single online community right now restricts free speech, because it's less work for their abuse teams to just ban "troublemakers" rather than taking the time to deal with them fairly and justly. LiveJournal, being one of the largest online communities, has the power over what can and cannot be said by 1.9 million people, and has the responsibility to rule over them wisely. Which means not banning someone they don't like for simply quoting another user or using their icon, while letting another user they like off the hook for herding goatse wherever they please.

"But they're a business, they can make a TOS which states 'we can resell any portion of your journal back to you' and get away with it. If you don't like it, set up your own online community." is a retort I often hear. That's a nice idea, but not everyone who has valuable but controversial opinions to voice has the money to build and administer their own online community. Not to mention that getting people to agree to a shady and selectively-applied Terms of Service, then banning them after taking their money for a paid account (and refusing a refund) is by no means a corporation's constitutionally-protected right.

Posted by: Чебурашка | January 21, 2006 1:04 AM | Report abuse

Livejournal abuse sucks. To deny people their accounts, especially people who pay for the service, is vile. They do not act fairly or evenhandedly. They play favorites, are abusive themselves.

I stopped renewing my paid account a while ago, they don't deserve any money. I've concentrated on my blog, which has much better customer service. It costs more, but they deserve the money. I am not throwing money down a hole by a company run by incompetent children, who rely on ignorant volunteers to do their work.

I'll consider paying again when they have competent staff working for them. Until then, I hope they crush under the weight of free accounts, eventually becoming too much of a financial drain to continue.

Posted by: Kibs | January 21, 2006 1:19 AM | Report abuse

it's the internet kids, you pays your money and you takes your chances. The TOS would stand in court if you signed it... AND what leads anyone to believe it would be worth any mony to sue? Never EVER sue broke people. LJ is a lark. If you take it more seriously, you are prolly going to get burned... :shrug: For those that dislike the abuse team... you should start your own journal. You will quickly discover what a pain in the ass it is to deal with people all day...

Posted by: || | January 21, 2006 2:36 AM | Report abuse

When you talk to Bantown and realize they are some of the smartest people on the wise internets it's hard to fight them. You know? Their responses and reasonings are so A++. I can't even begin to say how proud the below statement makes me feel to have such people friended on LJ. Who needs people obsessed with Buffy and creepy slash fiction. We're not asking for much. We are simply asking for a more regulated system of abuse management and a damn system that works in the 1st place.

The news post by LJKrissy was possibly the most vapid attempt at placating the masses I've seen. 5 more voice posts a month! Come on people. Of course, we can't voice these feelings on LJ without fear of being permabanned for a comment here and there, without that refund of monies. It's hard to have a LJ for 5 years, put so much time into it and then BAM, the wrong word is used and FINAL WARNING YOU WILL PAY. This entire thing does deserve some type of law suit. Trust me, there ARE people out "there" that have the unlimited disposable income to fund such a thing.

Posted by: Blingin to the Oldies | January 21, 2006 2:47 AM | Report abuse

Pls to Free THESPOONY AND REMOVE ALL FINAL WARNINGS FROM THELJCIRCLEJERK!

Posted by: Factor V | January 21, 2006 2:48 AM | Report abuse

If it is the -moz-binding thing that Asleep linked to, it's not new and it's been reported before. (I know I reported it in October, and there's a guy on Slashdot saying he reported an unfixed XSS bug two years ago. I wouldn't be surprised.) The domain/cookie changes they've made are good, though, so future attacks probably can't do any damage. They seem to have actually fixed it the *right* way, making a nice contrast to MySpace...

Posted by: random | January 21, 2006 3:50 AM | Report abuse

yo mom, copyright in the U.S. covers all works from the moment they are fixed in tangible (permanent) form. No registration with the Copyright Office is required, though it is necessary in order to obtain statutory (rather than actual) damages in a court case. You can register after the copyright infringment and before the court case to qualify for statutory damages, if it is within a few years of publication.

So, if LJ Abuse says that the OCILLA part of the DMCA covers all works, they are pretty close to right.

One problem is that they will accept obviously invalid notices and don't provide the details of the complainant so you can take legal action against them for filing an invalid takedown notice. That means you first have to take legal action against LJ to determine who you need to bring the final case against.

Posted by: not yo mom | January 21, 2006 6:10 AM | Report abuse

wiredog - firefox. People think if they use ff they're not vulnerable to anything - wrong. All browsers have weaknesses. That these are exploited and users harmed is pathetic.

Note that while this may not be Bantown doing this - and no news organization has said anything - for the last month at least and in a concerted attack last weekend, Neopets was infested with cookie grabbers, which resulted in the loss of accounts. Not just free accounts, but premium member accounts were grabbed and their premium information brute forced. This resulted in premium member personal information - name, address, payment/cc information being ss and posted on various nasty little sites. Stolen virtual items (theft of intellectual property) was sold for real money. Neo has not and probably will not make any mention of this to their users. They never have in the past.

All you people who think it's funny to hack/crack/scam/brute force accounts anywhere - you're not. You're pathetic and deserve whatever you get when you're caught. 18US1030 - Computer Fraud and Abuse Act does take this type of thing into account.

Posted by: neo | January 21, 2006 2:40 PM | Report abuse

lj abuse deserves whatever happens to them. i agree w/the above comments- they pick and choose when to enforce tos and suspended paid accounts for little to no reason at all. i had an account paid up two years get suspended because someone was harassing me. it's karma

Posted by: Anonymous | January 21, 2006 11:44 PM | Report abuse

...And here I thought they were going to do something more evil than simply retaliate against LJ Abuse... Oh well. I suppose it's a half decent cause, but... seriously, a lawsuit for having your journal banned? Please. There's other blogging sites in the world. Seriously.

Posted by: Shino | January 22, 2006 12:42 AM | Report abuse

I don't like LJ Abuse but I hate rfjason a lot more.

Posted by: x | January 22, 2006 1:48 AM | Report abuse

I don't remember writing that! I DON'T REMEMBER WRITING THAT!

MY JAVAS WERE HACKED!! I BLAME NOT HAVING GAY.PL TO PROTECT ME!!

lolrfyoder

Posted by: alex_jon | January 22, 2006 4:42 AM | Report abuse

Dear writer,

You are moderately attractive. I would.

Love,
DONGS

Posted by: alex_jon | January 22, 2006 4:43 AM | Report abuse

LJ and their Abuse team have never crossed me. People act like they're as bad as the government... doing random things for no good reason.

Well, you know, even the LJ Abuse team is human. You can knock the creators/maintainers/inhabitants of LJ all you want, but the fact is that we're all human, and we all make mistakes. No one is immune.

That said, I have been a proud Paid Account holder since June. However, I paid for my account knowing that even though it IS LiveJournal, they are a company, albeit a different kind. You pay your money, and you take your chance.

This security breach does have me worried, though; and as much as I love LJ, and take pride in supporting LJ financially, I just don't know if i'll be renewing my membership.

www.llbbooks.livejournal.com

Posted by: LLBBooks | January 22, 2006 7:50 AM | Report abuse

Is it really that hard for web developers to figure out? If security is an issue DON'T USE CLIENT-SIDE JAVASCRIPT.

Posted by: D Doctor | January 22, 2006 7:22 PM | Report abuse

It's an odd sight when LJers come crawling out to the internet

Posted by: Jerome | January 22, 2006 9:13 PM | Report abuse

Out of curiosity, how is hacking random people's journals an act of rebellion? Rather than making people support your 'free speech' agenda, it only serves to make people dislike you and cheer LJ on when they fix the security issues.
Whatever beef you have with LJ, don't take it out on the users themselves - just as you have a right to free speech and expressing yourself, we have the right to use the LJ site as we wish and to be left out of your childish, petty rebellion.
If you want to protest something, use your head and do something that the rest of the population is going to cheer on. Attacking people you don't know on a website millions of people have never heard of isn't going to do a damn thing.

Posted by: threep | January 22, 2006 10:06 PM | Report abuse

FREE THE SPOONY

Posted by: Anonymous | January 23, 2006 4:52 AM | Report abuse

NO MORE WARNINGS. FREE THE SPOONY and EVERYONE ELSE.

Posted by: Chickn | January 24, 2006 3:23 AM | Report abuse

Firefox.

Posted by: Anonymous | January 24, 2006 6:58 PM | Report abuse


I understand wanting fix problem but it has created problems for me. I can stay logged on. I move to a different page and end up being log out. I've followed all advice LJ has gave me & none of it works. It's getting frustrating to even use my LJ. I'm trying to understand but while fixing one problem end being worse off.
I will try to continue to understand. I'm just tired of not being able to edit my journal or look friends LJ.

Posted by: frustrated | January 27, 2006 1:25 AM | Report abuse

Free thespoony and all other livejournal prisoners!

Posted by: Anonymous | January 27, 2006 8:35 PM | Report abuse

said FUK LJ
said FUK LJ
said FUK LJ
said FUK LJ
said FUK LJ
said FUK LJ
said FUK LJ
said FUK LJ
said FUK LJ
said FUK LJ
said FUK LJ
said FUK LJ
said FUK LJ
said FUK LJ

Posted by: ur mom | January 28, 2006 6:17 PM | Report abuse

awww poor LJ users can cry and emo as much anymore.
i guess its back to anal horse rapings

Posted by: viva lj | January 28, 2006 6:18 PM | Report abuse

What is going on here?

Posted by: Anonymous | January 28, 2006 6:21 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company