As you may have already noticed, some video and media embedding in LiveJournal entries have been disabled, and content and security level of some entries may have changed unexpectedly. Both are related to a web security exploit that affected some entries on LiveJournal for approximately two hours today. Here is what you should know:
- You should check your recent entries to be sure the security level has not been changed and embed tags (as described below) have not been added.
- This exploit was spread through malicious Flash code embedded in journal entries.
- To combat the exploit, most video and other media embedding has been disabled - we will re-enable them on a site-by-site basis over the coming hours and days.
- Once media embedding was disabled, the exploit was stopped; it is no longer a risk.
- If you see four boxes (picture below) on a friend's entry, you should inform your friend since they may not be aware of what occurred.
What occurred today caused a limited but serious privacy breach, so we are making this post in order to inform you of the issue, what actions this exploit performed, and how to know if you have been affected. All of the information provided here is offered to the best of our knowledge right now, and if it substantially changes we will update this post or take other action to notify you.
We received several reports beginning at about 7:45 p.m. PDT on Tuesday, September 22nd (2:45 a.m. GMT Wednesday, September 23rd) that entries had been mysteriously altered - by adding additional code and/or by altering the security level. When the users attempted to return the entries to their previous state (taking out the added content or returning the security level to the chosen one), their changes were often reversed again.
Developers were promptly notified, and upon investigation it was determined that the exploit took place through a cross-domain scripting in an embedded Flash file. All media embedding was disabled immediately. At the present time, media embedding from YouTube and RuTube is re-enabled, but we will be adding to that list over the coming days.
How the exploit was spread:
- Viewing an entry with the infected media caused the script to modify the latest entry of the account which viewed it, and added the malicious code to that entry.
What this exploit did:
- When a user who was logged in viewed an infected post, the flash would then make a cross-domain request to livejournal.com
- The most recent post was then edited to add the flash files, and all settings were changed back to default (default userpic, no mood listed, and the security setting was changed to journal default, for example)
- The file then recorded the email address listed on the "Edit Profile" page - meaning, it recorded the email address regardless of the privacy settings
- While the exploit was active (at this time we believe it was about 1-2 hours), affected posts that were edited by the journal owners to their original state would be reverted back to the infected state (not able to be edited/changed)
What this exploit *did not* do:
- It did not steal any passwords, manipulate or "steal" login cookies, or record any information other than an email address
- It was rendered inactive at 8:50 p.m. PDT (September 22nd)/3:50 a.m. GMT/UTC (September 23rd), when LiveJournal engineers disabled embedded media (such as video files) to stop it from spreading
- It did not infect a computer or harm it in any way
How to identify an affected entry/account:
- Accounts which have been affected will have a recent entry with these four boxes at the bottom:
- This will be one of the most recent entries on the journal and/or the top entry (if it is a backdated top-post)
- If no entry with this modification is present, the account has not been affected.
After investigation of the JavaScript code that was found, we believe there are two privacy breaches potentially affecting these journals:
- One or more of the most recent entries in the journal may have had their privacy settings removed; therefore a post set to friends-only or private may have been made public, if the journal default entry-security level is set to "public"
- The email address (whether hidden or not) associated with the account may have been sent back to a server controlled by the attacker
The scope of the exploit/number of users affected:
- We believe this was present for more than one hour but less than two
- Through reports and our investigation this evening, we've seen fewer than 100 affected entries; however, due to the nature of friends pages it is likely more widespread than this
- At this time, we believe the number of users affected is limited - we will investigate activity logs and other data in order to determine with more accuracy the scope of this issue