Hmmm… this explains some of the changes I noticed at LJ…

http://blogs.washingtonpost.com/securityfix/2006/01/account_hijacki.html

Account Hijackings Force LiveJournal Changes

LiveJournal, an online community that boasts nearly 2 million active members, on Thursday announced sitewide changes for users logging into their accounts — changes prompted by a hacker group’s successful hijacking of potentially hundreds of thousands of user accounts.

In an alert posted to its user forum, LiveJournal said it was instituting new login procedures for users because “recent changes to a popular browser have enabled malicious users to potentially gain control of your account.” Company officials could not be immediately reached for comment. I also put in a query to Six Apart, which owns LiveJournal (and the service we use to produce this blog), but have yet to hear from them either.

An established hacker group known as “Bantown” (I would not recommend visiting their site at work) claimed responsibility for the break-in, which it said was made possible due to a series of Javascript security flaws in the LiveJournal site.

A trusted source in the security community put me in touch with this group, and several Bantown members spoke at length in an online instant-message chat with Security Fix. During the chat, members of the group claimed to have used the Javascript holes to hijack more than 900,000 LiveJournal accounts. (Although I quote some of them in this post, I have chosen to omit their individual hacker handles — not because we’re trying to protect their identities, but because a few of them could be considered a tad obscene.)

LiveJournal’s stats page says the company has more than 9.2 million registered accounts, but that only 1.9 million of them are active in some way. The largest percentage of users are located in the United States and Russia.

Bantown members said they created hundreds of dummy member accounts featuring Web links that used the Javascript flaws to steal “cookies” (small text files on a Web-browsing computer that can be used to identify the user) from people who clicked on the links. Armed with those cookies, the hackers were then able to either log in as the victim, or arbitrarily post or delete entries on the victim’s personal page.

“It is impossible to know how many of these are nonfunctional, but we have an 85% success rate on usage, so it may be fair to state that 85% of those are valid,” one member of Bantown told Security Fix. “However, we have only used approximately five hundred of these cookies so far, so it is impossible to tell whether this sample is statistically valid. Still, a massive number have been compromised.”

One thought on “Hmmm… this explains some of the changes I noticed at LJ…”

Comments are closed.