Two Livejournal Screwups in the Same Week

[digitalsidhe]

I don't mean to keep harping on Livejournal's problems and brokenness, I really don't. But there are two entirely separate screwups happening over in LJ-land right now, and I wouldn't want any of my friends to get bit by either of them. Yes, I know: Two at once? That's a little excessive even for them, but... the evidence is pretty hard to deny.

First off, and honestly more important, is the way they're rewriting outbound links to redirect them through a third-party click-tracker of some sort. A few of the clearer write-ups on this are:

• http://vichan.livejournal.com/392527.html - notes ways in which this can mess with people's livelihoods and monetary transactions
• http://atara.livejournal.com/631445.html - points out that we have no way of knowing what information is being collected by outboundlink.net, but the fact that their web page is completely blank doesn't inspire confidence. Also notes that many links get redirected to the wrong place.
• http://caffeinepuppy.livejournal.com/214632.html - apparently a web developer, notes that the techniques being used here are ones "that would only be used by someone who wanted to hide the fact that they are manipulating outbound links." I haven't read the actual code, but from the little I've seen so far, that seems accurate.
• http://shatterstripes.livejournal.com/1065670.html - has a full list of the domains that are affected by this. The rewriter only tries to rewrite links in which the hostname ends with any of those domains - but that means that, since "ebay.com" is on the list, any links to Gluten-FreeBay.com or crittersbythebay.com get irrevocably mangled. Shatterstripes' journal has some ugly formatting, so you may wish to view it in your own style.

And of course, many people have noted that this is being applied, without warning or permission, even to paid users. That is, people who have paid LJ/SUP money to not have ads and similar things on their journals are nonetheless having their links surreptitiously redirected (and sometimes broken).

In the meantime, it looks like they also have a nasty-scary authentication bug that allows people to comment as you if you forward them an HTML-formatted comment notification. It's not super-obvious from the writeup at that linked page, but it looks like the steps to reproduce this are:

1. Go to your account's display settings page and set "Email Format" to HTML - this is the part that many people have not done, which has left them safe from this particular bug
2. When you receive an HTML-formatted comment notification email, forward it to someone with a different LJ account. (Of course, this person could be you, if you have more than one LJ account. That'd be the safe way to explore this bug...)
3. Have that person type into the "Reply to comment" window in the email.

Presto, the person will then reply as you, rather than as themselves! Yes, even if they're logged in under their own account, their reply will come from your account.

This implies that Livejournal's handling of user authentication is fundamentally flawed. And LJ has known about this for over a year. (And a short comment thread in the above-linked entry notes that Dreamwidth fixed this bug a while back. Yay, Dreamwidth!)