http://blogs.washingtonpost.com/securityfix/
Account Hijackings Force LiveJournal Changes LiveJournal, an online community that boasts nearly 2 million active members, on Thursday announced sitewide changes for users logging into their accounts -- changes prompted by a hacker group's successful hijacking of potentially hundreds of thousands of user accounts. In an alert posted to its user forum, LiveJournal said it was instituting new login procedures for users because "recent changes to a popular browser have enabled malicious users to potentially gain control of your account." Company officials could not be immediately reached for comment. I also put in a query to Six Apart, which owns LiveJournal (and the service we use to produce this blog), but have yet to hear from them either. An established hacker group known as "Bantown" (I would not recommend visiting their site at work) claimed responsibility for the break-in, which it said was made possible due to a series of Javascript security flaws in the LiveJournal site. A trusted source in the security community put me in touch with this group, and several Bantown members spoke at length in an online instant-message chat with Security Fix. During the chat, members of the group claimed to have used the Javascript holes to hijack more than 900,000 LiveJournal accounts. (Although I quote some of them in this post, I have chosen to omit their individual hacker handles -- not because we're trying to protect their identities, but because a few of them could be considered a tad obscene.) LiveJournal's stats page says the company has more than 9.2 million registered accounts, but that only 1.9 million of them are active in some way. The largest percentage of users are located in the United States and Russia. Bantown members said they created hundreds of dummy member accounts featuring Web links that used the Javascript flaws to steal "cookies" (small text files on a Web-browsing computer that can be used to identify the user) from people who clicked on the links. Armed with those cookies, the hackers were then able to either log in as the victim, or arbitrarily post or delete entries on the victim's personal page. "It is impossible to know how many of these are nonfunctional, but we have an 85% success rate on usage, so it may be fair to state that 85% of those are valid," one member of Bantown told Security Fix. "However, we have only used approximately five hundred of these cookies so far, so it is impossible to tell whether this sample is statistically valid. Still, a massive number have been compromised." Normally, sites like LiveJournal prohibit the automated creation of accounts by using so-called "captcha images," online Turing Tests that require the user to read a series of slightly malformed numbers and letters and input them into a Web site form before a new account can be created. The idea is to stymie automated programs created by spammers who try to register new accounts for the sole purpose of using them to hawk their wares. But Bantown claims to have figured out a way to subvert that test, and to have even released a free, open-source program that others could use to do the same. According to Bantown, the group has been doing this for months, and LiveJournal was only alerted to the problem after the specially crafted URLs the hackers created started setting off antivirus warnings when some users clicked on the links. "What eventually led LiveJournal to discover and patch our first vulnerability is that McAfee's full [computer security] suite actually has some preliminary protection against cross-site scripting attacks," one group member said. It is unclear whether LiveJournal has managed to close the security holes that the hackers claim to have used. The company says it has, but the hackers insist there are still at least 16 other similar Javascript flaws on the LiveJournal site that could be used conduct the same attack. Group members said they plan to turn their attention to looking for similar flaws at another large social-networking site. Anytime you have large groups of computer users aggregating at such places, they are going to be seen as a target-rich environment by hackers and hacker groups. Over the past several months, a number of exploits have been released to help users or attackers circumvent the security of online forums. So far, the damage has been mostly harmless. The most high-profile case so far came in mid-October when one Myspace.com user released a self-replicating computer worm that took advantage of Javascript flaws to add more than a million fellow users to his buddy list. A similar worm hit the online community Xanga on New Year's eve (there is also some strong language at this link.) You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.