On LJ Security Fail
Okay, I've been poking around about the LJ thing, so I'm going to say what happened here, since I've had a few people PM to ask. I haven't seen a links round up yet, so here's one for now until I find someone who is doing it better.
First, I'll describe what happened to me.
Yesterday, I logged in over at LJ, and went to edit an entry. Instead of redirecting to an edit entry, it dumped me into the log-in page, logged into an unfamiliar journal. (For logistic purposes, I was on a mac running Snow Leopard, using Firefox 7, and my LJ account type is a permanent account. I was not using LJ-Login at the time, but logging in manually, as I already knew LJ Login was borked.)
I was mostly kind of baffled at first, and clicked on the journal I was logged into, whereupon I saw their journal, including obviously locked entries. This was not a journal I had ever seen before, or should have had any permissions to read f-lock or private entries with, obviously.
I scanned the page enough to see what had happened, and the user was, I believe, Russian, but had entries in English as well. I then rapidly logged out, when I realized, and was unsettled. Not sure what had happened, I made my last entry, and then started reading around.
I logged back onto LJ, changed my password, just in case, and filed a support request. As far as I could tell at the time, that report quest was PUBLIC. As of now, it is listed as PRIVATE, but has not been responded to. I can't see anything in the public support queue about this problem, so I'm guessing that all support requests about it are being set to private by the support team/admins. (This may just be standard procedure with login/security related problems, for all I know, but I find it ANNOYING that they're hiding the problem without offering any kind of official response yet.) [E.T.A. - in comments,
azurelunatic pointed out that as far as they knew, it IS standard to private anything security related, or requiring higher-ups to address.]
boundbooks then replied to my entry, giving a link to their entry about the situation. My flist also pointed me to stunt_muppet, who says that people are reporting access to other people's entries and account information. (I did not stay logged in long enough to see if I was given access to edit the other user's entries, or to see if I could look at their account information, but given that I was logged in AS them, I think it's very likely I could have.) Their E.T.A.'s also include links and further information that seem to indicate this is not yet a solved problem.
They also directed me to unfunnybusiness over at journalfen, where there's a discussion going about it. Users in that thread are mentioning the UI changing to Russian language default. (And started up an obligatory DW code thread.)
denise at
dw_maintenance posted that Lj's release had broken the crossposter..
eruthros has a round up of incidents as well, including a link to fallacy_angel's post at lj_releases, which includes a screencap.
I begin to dig through the lj_releases entry, where the problem was being mentioned, and mentioned, and mentioned some more, but with no official response other than "tell support" that I've seen. Most of the official responses within the comments are concerning the ljlogin/ljjuggler issue with no real acknowledgement of the very real secure issue. (Note, there are many more comments about the privacy issue, but I didn't link all of them, feel free to link me to any relevant subthreads I should include.) There is also a public support request I spotted about journals set to private/flocked having the defaults continually reset to public, which means any new entries are public. It's now edited to say resolved, which may have been a fix on LJ's part, I don't know, as I DID see someone mentioning the same problem elsewhere, but haven't been able to track down where I saw it again yet.
I've had issues with LJ before, but this was a very jarring, personal issue. I was given access to someone else's PRIVATE journal entries/LOCKED journal entries, and likely their personal information as well. Which leads me to wonder who had access to MINE? This is a very real, highly disturbing security problem, even for me, who has no real personal identity to hide, but is just uncomfortable with the idea. For someone who may have very real reasons to hide their identity, or want to keep their entries private, this could be a nightmare. People could make previously private entries in journals not their own public. They could have access to phone numbers of those who have a cell phone set up in their profile for texting. For those who have auto-payment set up in their billing, they might have access to credit cards. (Again, I did not personally check to see if I could see the account info of the other journal, but as I was logged in as them, I think it's probable.)
So in short, I was disturbed, appalled, and now I am INVESTED in being extremely angry about this.
Feel free to link this around, and if you have any updates, drop a comment and I'll try to keep editing them in, as I find new information.
Sadly, I did not think to get screenshots of these things as they were happening. If you want to link to caps and links, then I suggest you blur out any journal names/entry texts of people whose journal you were accidentally logged in to, for the sake of not making this worse than it already is.
I'm filtering comments to DW, so I don't have to maintain them at two entries, and anon commenting is on for those who don't have DW accounts. (Also, if anyone is looking for invites, I do have a few, and there's always dw_codesharing.)
E.T.A. - And as of now, we have an official response from LJ Maintenance, which says there is no effect on security as you couldn't interact with the features of the journal you were shown as logged in to. If true, that does ease the mind on questions of viewing personal profile information or editing entries - but it does nothing for the fact that private entries/locked entries were viewable. From their entry:
The following occurred - while updating the configuration of our internal caching system, Varnish, for a few minutes the system began to issue cached pages from the users who most recently visited the same page, as the system considered this the most relevant source of data. Thus, for 3 minutes, some users may have seen pages which appeared as though they were logged in as another random account, but it was actually just a snapshot of the page of the last visitor. It had no effect on security, as it was not possible to perform any actions on behalf of this other account. When attempting to load another page during these few minutes, another cached page was served in most cases.
E.T.A. 2 - Pointed out by
eruthros in comments:
I did the math on the first reports, and they were all just after midnight UTC - about 12:20 am 10/26 UTC (or 5:20 PDT or 8:20 EDT on 10/25 for folks in the USA). So that's the first instance, but then you seem to have experienced it about 15 hours after that, which kind of ... doesn't sound like a three minute problem to me.
Given that, the three minute window story in the official LJ release. . . makes no sense, unless they are referring to there being a three minute window after each user's login, as in if someone else logs in within three minutes of you, they could be redirected to your journal. (Or at least that's the only feasible explanation I can think of.) So their explanation is either poorly worded. . . or not accurate.
E.T.A. 3 - And the official has a comment saying this is a continuing problem. And another that says that actual action (as in posting as someone else) was taken while the log-in switch was happening. (The wording seems a little contradictory in comments, but might just be an issue with stating something oddly.)
E.T.A. 4 (Friday, the 28th, 6:53 am, eastern time) - As of this morning, LJ released an update to the much-more-widely-read news comm. The security incident was mentioned very briefly in the first paragraph, and was downplayed pretty strongly. The only mention read:
Happy Halloween and welcome to the official newsletter for all things LiveJournal! Bringing you information about system updates, community events, LJ social outreach, and other newsworthy nuggets from the world of LiveJournal. A quick note before we jump in: we've posted an update at lj_maintenance outlining a service issue that sprung up a couple days ago and was quickly resolved.
Comments immediately came up objecting to the downplaying, and they were directed to the maintenance post. I'm having trouble getting LJ to load at all, so parsing through comments to see if there has been official response to the "not actually three minutes" issue, or the "actually, people were posting as the accidentally logged-in-journals". As far as I see, there has been no reply to either of those facts, but I might have missed it.
marahmarie commented with a take on the caching problem, and thinks that the ability to use the cookies cached for actions such as posting was probably likely. (I have no technical knowledge, so I won't debate, but given the multiple reports of posting as someone else, I tend to believe their take on it.)
eruthros ETA's on their post also has some additional links to reports of people posting as the hijacked journals as well.
E.T.A. 5 (Friday, the 28th, 10:05 am, eastern time) - Spotted via
rydra_wong,
siljamus says in their post:
Be aware that the problem is still being reported by some user after this announcement. Someone who is very tech literate suggested this as a way of trying to keep your journal(s) safe for the time being:
Log out of LJ entirely, expire all sessions, and stay logged out until the problem is no longer being reported.
This should protect you from having your logged-in account cached for someone else to see.
E.T.A. 6 (Friday, the 28th, 1:55 pm, eastern time) - I had a reply from LJ support concerning the ticket I placed. (I got the email at 11:34, but forgot to update with the response until now.) It gives no real new information, just directing to the maintenance post. Quoting the response in full:
Dear user sullensiren,
Thank you for your inquiry. A post has been made in the lj_maintenance community that discusses the issues that occurred yesterday [http://lj-maintenance.livejournal.com/131843.html]. I apologize for the confusion this problem caused you and other users, and please know that the issue was resolved very quickly once it was identified.
Regards,
LiveJournal Community Care Team
I continue to think that it is not as resolved as they claim, or as harmless as they seem to believe.
E.T.A. 7 (Saturday, the 29th, 6:55 am, eastern time) - Reports of the problem seem to have tapered off, as I haven't seen any new accounts in the comments of the maintenance/news posts, though I did see reports of still being randomly logged out. busaikko commented on the maintenance post to give support's reply to their request for a copy of their cache to see who has accessed their journal. The reply they quoted was:
Dear user busaikko,
Thank you for your inquiry. It is not possible to provide you with the information that you requested, as there is no record kept of what pages are shown to every user of the site -- such a record simply is not systematically possible on a site the size of LiveJournal.
As the problem occurred for only a very short period of time, it is likely that most users had no pages of theirs shown to another person -- the problem was resolved within a matter of minutes. Cached pages are also static; even if another person saw a page of your journal, they did not actually have access to your account. They were not actually logged in as you, and did not actually have control of the account. They could not have made any changes to the page they were on, nor could they have chosen to view any other page or settings of your journal.
I am sorry for the frustration and worry that this situation caused you and other users, and I apologize that the announcement regarding the problem was so delayed -- I definitely agree that information about the problem should have been made available sooner. While I hope that you will continue to keep using LiveJournal to keep in touch with friends and family, I certainly understand that this incident may prevent you from being able to do so.
Regards,
LiveJournal Community Care Team
There was no direct links of the person affected, so not linking, but there was discussion in comments of people who had friends who got dumped into others inboxes, where they could read private PM exchange the contained phone numbers, so while that might be an isolated incident, the LJ line about it not being a real security problem seems even more false.
E.T.A. 7 (Saturday, the 29th, 1:34 am, eastern time) - (F.Y.I., I put the times on for when I edited the ETA's in, not necessarily when the bugs were reported, just so it's obvious when this post was last updated.)
Via
boundbooks in comments,
majoline reported a new version of the bug that didn't dump them into a random journal, but instead took them to the edit page of the fic link/journal page they had clicked on to read. From their post:
they're still messing up - I right clicked on a story rec link to open it into a new tab, and instead it took me to that particular journal entry's edit page. >:(
Reported to lj, but still... thought everyone would appreciate the head's up.
As far as I've seen, that version of the bug is entirely new, and actually quite a bit worse, since it means any popular post that's getting a lot of hits (popular fics, meta, round ups, etc) would be more likely to be hit, and if they can actually be edited (which LJ did say wasn't possible, but people seemed able to comment, so I'm not really believing that, still), then people could find their entries altered. (Though that is supposition and not any actual facts from me, so grain of salt. I'm not tech-savvy.) So far that's the only report of that type that I've seen, but if anyone spots more, links would be welcome.
E.T.A. 8 (Saturday, the 29th, 5:17 am, eastern time) -
majoline dropped by in comments to say that the edit buttons were grayed out when they ended up there.
boundbooks also has a follow-up post with a few added links and information.
E.T.A. 9 (Saturday, the 30th, 7:43 am, eastern time) -
briar_pipe dropped a comment pointing to a more recent comment from margi_lynn where they say the edit problem is still happening.
E.T.A. 10 (Saturday, the 30th, 5:40 pm, eastern time) - from a comment, there may be two separate bugs, one of which is an existing bug that doesn't expose locked entries, it just directs to an unusable edit page for public entries, and the one we've been seeing for the past couple of days. (they explain it better in comments, and in their roundup post as well.)
And there does seem to be a more recent report of the original bug as well, which did have a screencap but the auto-spam bot caught it as suspicious, for the moment.
This entry was originally posted at dreamwidth, and has
comments.
First, I'll describe what happened to me.
Yesterday, I logged in over at LJ, and went to edit an entry. Instead of redirecting to an edit entry, it dumped me into the log-in page, logged into an unfamiliar journal. (For logistic purposes, I was on a mac running Snow Leopard, using Firefox 7, and my LJ account type is a permanent account. I was not using LJ-Login at the time, but logging in manually, as I already knew LJ Login was borked.)
I was mostly kind of baffled at first, and clicked on the journal I was logged into, whereupon I saw their journal, including obviously locked entries. This was not a journal I had ever seen before, or should have had any permissions to read f-lock or private entries with, obviously.
I scanned the page enough to see what had happened, and the user was, I believe, Russian, but had entries in English as well. I then rapidly logged out, when I realized, and was unsettled. Not sure what had happened, I made my last entry, and then started reading around.
I logged back onto LJ, changed my password, just in case, and filed a support request. As far as I could tell at the time, that report quest was PUBLIC. As of now, it is listed as PRIVATE, but has not been responded to. I can't see anything in the public support queue about this problem, so I'm guessing that all support requests about it are being set to private by the support team/admins. (This may just be standard procedure with login/security related problems, for all I know, but I find it ANNOYING that they're hiding the problem without offering any kind of official response yet.) [E.T.A. - in comments,
azurelunatic pointed out that as far as they knew, it IS standard to private anything security related, or requiring higher-ups to address.]
boundbooks then replied to my entry, giving a link to their entry about the situation. My flist also pointed me to stunt_muppet, who says that people are reporting access to other people's entries and account information. (I did not stay logged in long enough to see if I was given access to edit the other user's entries, or to see if I could look at their account information, but given that I was logged in AS them, I think it's very likely I could have.) Their E.T.A.'s also include links and further information that seem to indicate this is not yet a solved problem.
They also directed me to unfunnybusiness over at journalfen, where there's a discussion going about it. Users in that thread are mentioning the UI changing to Russian language default. (And started up an obligatory DW code thread.)
denise at
dw_maintenance posted that Lj's release had broken the crossposter..
eruthros has a round up of incidents as well, including a link to fallacy_angel's post at lj_releases, which includes a screencap.
I begin to dig through the lj_releases entry, where the problem was being mentioned, and mentioned, and mentioned some more, but with no official response other than "tell support" that I've seen. Most of the official responses within the comments are concerning the ljlogin/ljjuggler issue with no real acknowledgement of the very real secure issue. (Note, there are many more comments about the privacy issue, but I didn't link all of them, feel free to link me to any relevant subthreads I should include.) There is also a public support request I spotted about journals set to private/flocked having the defaults continually reset to public, which means any new entries are public. It's now edited to say resolved, which may have been a fix on LJ's part, I don't know, as I DID see someone mentioning the same problem elsewhere, but haven't been able to track down where I saw it again yet.
I've had issues with LJ before, but this was a very jarring, personal issue. I was given access to someone else's PRIVATE journal entries/LOCKED journal entries, and likely their personal information as well. Which leads me to wonder who had access to MINE? This is a very real, highly disturbing security problem, even for me, who has no real personal identity to hide, but is just uncomfortable with the idea. For someone who may have very real reasons to hide their identity, or want to keep their entries private, this could be a nightmare. People could make previously private entries in journals not their own public. They could have access to phone numbers of those who have a cell phone set up in their profile for texting. For those who have auto-payment set up in their billing, they might have access to credit cards. (Again, I did not personally check to see if I could see the account info of the other journal, but as I was logged in as them, I think it's probable.)
So in short, I was disturbed, appalled, and now I am INVESTED in being extremely angry about this.
Feel free to link this around, and if you have any updates, drop a comment and I'll try to keep editing them in, as I find new information.
Sadly, I did not think to get screenshots of these things as they were happening. If you want to link to caps and links, then I suggest you blur out any journal names/entry texts of people whose journal you were accidentally logged in to, for the sake of not making this worse than it already is.
I'm filtering comments to DW, so I don't have to maintain them at two entries, and anon commenting is on for those who don't have DW accounts. (Also, if anyone is looking for invites, I do have a few, and there's always dw_codesharing.)
E.T.A. - And as of now, we have an official response from LJ Maintenance, which says there is no effect on security as you couldn't interact with the features of the journal you were shown as logged in to. If true, that does ease the mind on questions of viewing personal profile information or editing entries - but it does nothing for the fact that private entries/locked entries were viewable. From their entry:
The following occurred - while updating the configuration of our internal caching system, Varnish, for a few minutes the system began to issue cached pages from the users who most recently visited the same page, as the system considered this the most relevant source of data. Thus, for 3 minutes, some users may have seen pages which appeared as though they were logged in as another random account, but it was actually just a snapshot of the page of the last visitor. It had no effect on security, as it was not possible to perform any actions on behalf of this other account. When attempting to load another page during these few minutes, another cached page was served in most cases.
E.T.A. 2 - Pointed out by
eruthros in comments:
I did the math on the first reports, and they were all just after midnight UTC - about 12:20 am 10/26 UTC (or 5:20 PDT or 8:20 EDT on 10/25 for folks in the USA). So that's the first instance, but then you seem to have experienced it about 15 hours after that, which kind of ... doesn't sound like a three minute problem to me.
Given that, the three minute window story in the official LJ release. . . makes no sense, unless they are referring to there being a three minute window after each user's login, as in if someone else logs in within three minutes of you, they could be redirected to your journal. (Or at least that's the only feasible explanation I can think of.) So their explanation is either poorly worded. . . or not accurate.
E.T.A. 3 - And the official has a comment saying this is a continuing problem. And another that says that actual action (as in posting as someone else) was taken while the log-in switch was happening. (The wording seems a little contradictory in comments, but might just be an issue with stating something oddly.)
E.T.A. 4 (Friday, the 28th, 6:53 am, eastern time) - As of this morning, LJ released an update to the much-more-widely-read news comm. The security incident was mentioned very briefly in the first paragraph, and was downplayed pretty strongly. The only mention read:
Happy Halloween and welcome to the official newsletter for all things LiveJournal! Bringing you information about system updates, community events, LJ social outreach, and other newsworthy nuggets from the world of LiveJournal. A quick note before we jump in: we've posted an update at lj_maintenance outlining a service issue that sprung up a couple days ago and was quickly resolved.
Comments immediately came up objecting to the downplaying, and they were directed to the maintenance post. I'm having trouble getting LJ to load at all, so parsing through comments to see if there has been official response to the "not actually three minutes" issue, or the "actually, people were posting as the accidentally logged-in-journals". As far as I see, there has been no reply to either of those facts, but I might have missed it.
marahmarie commented with a take on the caching problem, and thinks that the ability to use the cookies cached for actions such as posting was probably likely. (I have no technical knowledge, so I won't debate, but given the multiple reports of posting as someone else, I tend to believe their take on it.)
eruthros ETA's on their post also has some additional links to reports of people posting as the hijacked journals as well.
E.T.A. 5 (Friday, the 28th, 10:05 am, eastern time) - Spotted via
rydra_wong,
siljamus says in their post:
Be aware that the problem is still being reported by some user after this announcement. Someone who is very tech literate suggested this as a way of trying to keep your journal(s) safe for the time being:
Log out of LJ entirely, expire all sessions, and stay logged out until the problem is no longer being reported.
This should protect you from having your logged-in account cached for someone else to see.
E.T.A. 6 (Friday, the 28th, 1:55 pm, eastern time) - I had a reply from LJ support concerning the ticket I placed. (I got the email at 11:34, but forgot to update with the response until now.) It gives no real new information, just directing to the maintenance post. Quoting the response in full:
Dear user sullensiren,
Thank you for your inquiry. A post has been made in the lj_maintenance community that discusses the issues that occurred yesterday [http://lj-maintenance.livejournal.com/131843.html]. I apologize for the confusion this problem caused you and other users, and please know that the issue was resolved very quickly once it was identified.
Regards,
LiveJournal Community Care Team
I continue to think that it is not as resolved as they claim, or as harmless as they seem to believe.
E.T.A. 7 (Saturday, the 29th, 6:55 am, eastern time) - Reports of the problem seem to have tapered off, as I haven't seen any new accounts in the comments of the maintenance/news posts, though I did see reports of still being randomly logged out. busaikko commented on the maintenance post to give support's reply to their request for a copy of their cache to see who has accessed their journal. The reply they quoted was:
Dear user busaikko,
Thank you for your inquiry. It is not possible to provide you with the information that you requested, as there is no record kept of what pages are shown to every user of the site -- such a record simply is not systematically possible on a site the size of LiveJournal.
As the problem occurred for only a very short period of time, it is likely that most users had no pages of theirs shown to another person -- the problem was resolved within a matter of minutes. Cached pages are also static; even if another person saw a page of your journal, they did not actually have access to your account. They were not actually logged in as you, and did not actually have control of the account. They could not have made any changes to the page they were on, nor could they have chosen to view any other page or settings of your journal.
I am sorry for the frustration and worry that this situation caused you and other users, and I apologize that the announcement regarding the problem was so delayed -- I definitely agree that information about the problem should have been made available sooner. While I hope that you will continue to keep using LiveJournal to keep in touch with friends and family, I certainly understand that this incident may prevent you from being able to do so.
Regards,
LiveJournal Community Care Team
There was no direct links of the person affected, so not linking, but there was discussion in comments of people who had friends who got dumped into others inboxes, where they could read private PM exchange the contained phone numbers, so while that might be an isolated incident, the LJ line about it not being a real security problem seems even more false.
E.T.A. 7 (Saturday, the 29th, 1:34 am, eastern time) - (F.Y.I., I put the times on for when I edited the ETA's in, not necessarily when the bugs were reported, just so it's obvious when this post was last updated.)
Via
boundbooks in comments,
majoline reported a new version of the bug that didn't dump them into a random journal, but instead took them to the edit page of the fic link/journal page they had clicked on to read. From their post:
they're still messing up - I right clicked on a story rec link to open it into a new tab, and instead it took me to that particular journal entry's edit page. >:(
Reported to lj, but still... thought everyone would appreciate the head's up.
As far as I've seen, that version of the bug is entirely new, and actually quite a bit worse, since it means any popular post that's getting a lot of hits (popular fics, meta, round ups, etc) would be more likely to be hit, and if they can actually be edited (which LJ did say wasn't possible, but people seemed able to comment, so I'm not really believing that, still), then people could find their entries altered. (Though that is supposition and not any actual facts from me, so grain of salt. I'm not tech-savvy.) So far that's the only report of that type that I've seen, but if anyone spots more, links would be welcome.
E.T.A. 8 (Saturday, the 29th, 5:17 am, eastern time) -
majoline dropped by in comments to say that the edit buttons were grayed out when they ended up there.
boundbooks also has a follow-up post with a few added links and information.
E.T.A. 9 (Saturday, the 30th, 7:43 am, eastern time) -
briar_pipe dropped a comment pointing to a more recent comment from margi_lynn where they say the edit problem is still happening.
E.T.A. 10 (Saturday, the 30th, 5:40 pm, eastern time) - from a comment, there may be two separate bugs, one of which is an existing bug that doesn't expose locked entries, it just directs to an unusable edit page for public entries, and the one we've been seeing for the past couple of days. (they explain it better in comments, and in their roundup post as well.)
And there does seem to be a more recent report of the original bug as well, which did have a screencap but the auto-spam bot caught it as suspicious, for the moment.
This entry was originally posted at dreamwidth, and has
comments.