Comments | lj_dev: Preventing the sausage attack UPDATED

ciphergoth in lj_dev

Preventing the sausage attack UPDATED

Jun 11, 2004 18:08

Update: note for new readers

I probably can't answer your questions about the attack. If bad things have happened to your journal, as a result of this attack or otherwise, please file a support requestIf you got bitten by a new attack on LJ that's recently become popular, and someone directed you here for more information, I'm sorry but you've ( Read more... )

Leave a comment

Back to all threads

ashley_y June 11 2004, 12:05:36 UTC

Can this attack currently be used against other LJ submission forms? For instance, could it be used to add a friend, or change user info, or something?

penguinny June 11 2004, 13:16:06 UTC

Yes, it can. I saw this done (not sure, if you want to see the exact link - it is in Russian).

Re: Oh jeez. vardissakheli June 11 2004, 22:15:45 UTC

Not to give anybody any ideas, but it just occurred to me that a malicious script using this technique could open a livejournal page (or your credit card statement, or what have you) in another frame, read the contents of that page, and submit it in a form back to another host. Bye-bye private information.

Re: Oh jeez. owdbetts June 12 2004, 06:10:09 UTC

[...] a malicious script using this technique could open a livejournal page (or your credit card statement, or what have you) in another frame, read the contents of that page [...]

How would it read the contents of the page? It would be in a different domain, so wouldn't cross-domain scripting restrictions prevent it?

-roy

(The comment has been removed)

Re: Oh jeez. ciphergoth June 12 2004, 11:29:14 UTC

How bad are things with IE? I use Firefox, perhaps unsurprisingly.

Re: Oh jeez. madscience June 12 2004, 18:45:03 UTC

Pretty bad. Two days ago, another bug was publicized that allows a malicious site to install adware without your consent.

I use Firefox also... when I use Windows at all.

Re: Whew. vardissakheli June 13 2004, 09:43:49 UTC

Noncompliant clients notwithstanding, it's good to hear my understanding of what a script could have access to was overly broad.

Re: Whew. owdbetts June 13 2004, 15:15:03 UTC

Hey, that was a question, not a statement... Please don't take my word on this; I'm no expert...

Re: Yes. m_leprae June 12 2004, 17:00:51 UTC

I've been checking out the code for one attack that adds two friends and another that posts something to your journal and they are both very simple Javascripts. Changing user info would be a little bit harder.

Back to all threads

Leave a comment