Comments | deliberateblank: Re; The sausage meme and its copycats

deliberateblank

Re; The sausage meme and its copycats

Jun 12, 2004 14:33

There are issues on the LJ issue tracker board concerning this.

I've just filed my own bug against Firefox. (LJ *need* to fix their end, but there are things the browser can do to prevent this too, that are low-impact. Hopefully Mozilla/Firefox will implement a block for the next version. Good luck waiting for Microsoft to fix Internet Explorer ( Read more... )

Comments 14

(The comment has been removed)

deliberateblank June 12 2004, 07:17:34 UTC

Nope, but it would be bloody annoying to those it affected.

And you could come up with a combination exploit. Something that started off as something like the sausage meme, that people might actually want to keep, but then some time later after enough people had the entries the back end script could be changed to something more damaging.

A lot of those affected might not know how to deal with it, and if it was something more subtle like adding to the friends list then many might not even notice it. Potentially very nasty.

odubtaig June 12 2004, 08:54:42 UTC

What if it manages to deleta all your posts, change your password and just leave itself as a meme in what remains? There are enough infrequent posters that the deletion of all their other posts could go unnoticed and the potential for everyone with them as a friend to be affected is there.

dmh June 12 2004, 13:01:44 UTC

Thankfully LiveJournal makes you enter your password before you can change it; so the script would have to trick you into entering the password before it could change it...

kaet June 12 2004, 07:35:57 UTC

Thanks for taking the effort. I know how boring and tedious dealing with bug submission and the like is! I sometimes tend to assume someone else will do it, even though I shouldn't, :(.

owdbetts June 12 2004, 08:10:21 UTC

There's apparently another one that adds a friend.

ciphergoth has started a thread in lj_dev here.

-roy

ciphergoth June 12 2004, 10:12:33 UTC

I can't be arsed to create a Bugzilla account to add this observation, but if you agree with me then feel free. I don't think the fixes you propose in Firefox are the right ones. Fundamentally this problem doesn't have much to do with Javascript - if you can get the user to click a "submit" button, you can submit a form in their name anywhere.

Instead, I think the correct fix is not to present cookies in cross-site POST requests - or at least, to ask the user before doing so.

wechsler June 12 2004, 12:16:11 UTC

And what about GET forms?

ciphergoth June 12 2004, 16:59:25 UTC

I'd like to leave GET requests so that (eg) I can post a link to a friends-locked LJ on DJ, and if you're logged in you can just click the link.

I've always been given to understand that GET requests are not supposed to change anything, only request things. If servers enforce that, then this will work. If they don't, it doesn't...

wechsler June 13 2004, 01:17:04 UTC

You may be strictly right there, although it's not exactly what I remembered - this page seems to agree with you, as does (AFAICT) the RFC. Unfortunately I closed my safari account so I can't check it in the HTTP book.

That said, real-world usage differs; consider: www.somewhere.com/getwebcounterimg.php?page=214&action=increment as a first example.

Thread 7

mazzarc June 12 2004, 11:49:04 UTC

I can see the *POTENTIAL* for bad things happening with the sausage meme, but it doesn't SEEM to do anything bad in it's present form... does it?

deliberateblank June 12 2004, 18:42:06 UTC

No.

But it could.

And if LJ don't protect themselves, *someone* *will* do something bad with it.

There are already proff-of-concept scripts that modify the friends list of an 'unsuspecting' user. Anything I've suggested is possible. We're just waiting to see who gets there first: the LJ staff protecting against it, or the first real malicious use of this technique.