http://blogs.washingtonpost.com/securityfix/

Account Hijackings Force LiveJournal Changes

LiveJournal, an online community that boasts nearly 2 million active
members, on Thursday announced sitewide changes for users logging into their
accounts -- changes prompted by a hacker group's successful hijacking of
potentially hundreds of thousands of user accounts.

In an alert posted to its user forum, LiveJournal said it was instituting
new login procedures for users because "recent changes to a popular browser
have enabled malicious users to potentially gain control of your account."
Company officials could not be immediately reached for comment. I also put
in a query to Six Apart, which owns LiveJournal (and the service we use to
produce this blog), but have yet to hear from them either.

An established hacker group known as "Bantown" (I would not recommend
visiting their site at work) claimed responsibility for the break-in, which
it said was made possible due to a series of Javascript security flaws in
the LiveJournal site.

A trusted source in the security community put me in touch with this group,
and several Bantown members spoke at length in an online instant-message
chat with Security Fix. During the chat, members of the group claimed to
have used the Javascript holes to hijack more than 900,000 LiveJournal
accounts. (Although I quote some of them in this post, I have chosen to omit
their individual hacker handles -- not because we're trying to protect their
identities, but because a few of them could be considered a tad obscene.)

LiveJournal's stats page says the company has more than 9.2 million
registered accounts, but that only 1.9 million of them are active in some
way. The largest percentage of users are located in the United States and
Russia.

Bantown members said they created hundreds of dummy member accounts
featuring Web links that used the Javascript flaws to steal "cookies" (small
text files on a Web-browsing computer that can be used to identify the user)
from people who clicked on the links. Armed with those cookies, the hackers
were then able to either log in as the victim, or arbitrarily post or delete
entries on the victim's personal page.

"It is impossible to know how many of these are nonfunctional, but we have
an 85% success rate on usage, so it may be fair to state that 85% of those
are valid," one member of Bantown told Security Fix. "However, we have only
used approximately five hundred of these cookies so far, so it is impossible
to tell whether this sample is statistically valid. Still, a massive number
have been compromised."

Normally, sites like LiveJournal prohibit the automated creation of accounts
by using so-called "captcha images," online Turing Tests that require the
user to read a series of slightly malformed numbers and letters and input
them into a Web site form before a new account can be created. The idea is
to stymie automated programs created by spammers who try to register new
accounts for the sole purpose of using them to hawk their wares.

But Bantown claims to have figured out a way to subvert that test, and to
have even released a free, open-source program that others could use to do
the same.

According to Bantown, the group has been doing this for months, and
LiveJournal was only alerted to the problem after the specially crafted URLs
the hackers created started setting off antivirus warnings when some users
clicked on the links.

"What eventually led LiveJournal to discover and patch our first
vulnerability is that McAfee's full [computer security] suite actually has
some preliminary protection against cross-site scripting attacks," one group
member said.

It is unclear whether LiveJournal has managed to close the security holes
that the hackers claim to have used. The company says it has, but the
hackers insist there are still at least 16 other similar Javascript flaws on
the LiveJournal site that could be used conduct the same attack.

Group members said they plan to turn their attention to looking for similar
flaws at another large social-networking site.

Anytime you have large groups of computer users aggregating at such places,
they are going to be seen as a target-rich environment by hackers and hacker
groups. Over the past several months, a number of exploits have been
released to help users or attackers circumvent the security of online
forums.

So far, the damage has been mostly harmless. The most high-profile case so
far came in mid-October when one Myspace.com user released a
self-replicating computer worm that took advantage of Javascript flaws to
add more than a million fellow users to his buddy list. A similar worm hit
the online community Xanga on New Year's eve (there is also some strong
language at this link.)



You are a subscribed member of the infowarrior list. Visit 
www.infowarrior.org for list information or to unsubscribe. This message 
may be redistributed freely in its entirety. Any and all copyrights 
appearing in list messages are maintained by their respective owners.

Reply via email to