?

Log in

LiveJournal Meta
Have your monocle ready
Urgent security notice: embedded content security breach 
23rd-Sep-2009 12:03 am
eye
As far as known at this time, LJ has had a security breach with the embedded content domain lj-toys.com (not to be confused with the third party domain, ljtoys.org.uk). This breach resets the icon and metadata of your most recent post and sets the security to public, along with inserting malicious Flash content into the body of the post, within minutes of viewing an infected Flash file. Then, other people viewing that Flash content in your entry will also become infected. Because of this, embedding on LJ has been disabled, so there should be no new infections from the LiveJournal site itself. Many people's journals have already been tampered with--however, it only affects your journal, not your computer.

You should check your latest journal entries using this page. Affected entries will contain blocks of embedded Flash at the end. Depending on your LJ usage patterns, you may have more than one recent entry affected. Remove the added code (and reset your metadata, icon and post security if wanted).

Here is an example of the code inserted into posts (with all links redacted; this example linked to a .swf on e1h5.simplecdn.net):

<lj-embed id="26">
<object width="1" height="1"><param name="movie" value="LINKTOBADFLASH"></param><param name="wmode" value="transparent"></param><param name="allowScriptAccess" value="always"></param><embed src="LINKTOBADFLASH" type="application/x-shockwave-flash" width="1" height="1" wmode="transparent"></embed></object> </lj-embed><lj-embed id="27">
<object width="1" height="1"><param name="movie" value="LINKTOBADFLASH"></param><param name="wmode" value="transparent"></param><param name="allowScriptAccess" value="always"></param><embed src="LINKTOBADFLASH" type="application/x-shockwave-flash" width="1" height="1" wmode="transparent"></embed></object> </lj-embed><lj-embed id="28">
<object width="1" height="1"><param name="movie" value="LINKTOBADFLASH"></param><param name="wmode" value="transparent"></param><param name="allowScriptAccess" value="always"></param><embed src="LINKTOBADFLASH" type="application/x-shockwave-flash" width="1" height="1" wmode="transparent"></embed></object> </lj-embed><lj-embed id="29">
<object width="1" height="1"><param name="movie" value="LINKTOBADFLASH"></param><param name="wmode" value="transparent"></param><param name="allowScriptAccess" value="always"></param><embed src="LINKTOBADFLASH" type="application/x-shockwave-flash" width="1" height="1" wmode="transparent"></embed></object>
</lj-embed>


Further information will be added to this post as it comes in. It's not reported to be stealing cookies; however, you would not be amiss to expire all your current login sessions and log back in. Content placeholders and the use of Flashblock and NoScript are currently highly recommended--block the lj-toys.com domain (that domain should be okay now). (Other LJ security concerns can also be mitigated with NoScript: Ads shown on LiveJournal can occasionally carry malware. Sometimes spam bot accounts spread malicious links in posts or comments; in some cases, accounts have been hijacked and their entries replaced with a misleading post saying they had moved with a link to malware. You can see a report on LJ's safety at Google Safebrowsing.)

Based on the disassembled code, it appears to also harvest your primary email address.

LJ will update the lj_releases community when they have more information. As far as known at this time, LJ clones such as InsaneJournal and Deadjournal and LJ forks such as Dreamwidth are not affected. This security breach is not related to the recent code release, or the Your Journal - Your Money program.

Feel free to spread this post around to help notify others.

ETA 12:57AM PST: YouTube embedding appears to have been reenabled.
ETA 7:25AM PST: lj_releases post done earlier in the night.
ETA 7:53AM PST: news post with good summary and explanation made earlier this morning
ETA 5:40AM PST 9/24: Clarified distinction between lj-toys.com and ljtoys.org.uk.
Comments 
(Deleted comment)
23rd-Sep-2009 07:24 am (UTC)
I kept wondering Avast kept telling me it had stopped a virus while surfing LJ. I guess I couldn't see the flash because of Adblock?
23rd-Sep-2009 08:01 am (UTC)
I'm not sure if AdBlock would block this unless it was blocking all Flash content, as I don't think the domain is included in the usual ad subscription filters. The Flash didn't actually load anything to view, it just ran the code.
23rd-Sep-2009 07:36 am (UTC)
Yep, that's exactly what got embedded on my last entry, save with different lj-embed id numbers. Except I think it was hours, not minutes, after I posted.
23rd-Sep-2009 07:38 am (UTC)
It wouldn't happen until you viewed an entry that was infected (probably on your friends page, but anywhere on LJ that the entry appears would work).
23rd-Sep-2009 08:00 am (UTC)
do i need to worry about my journal being hacked? should i change my password or anything?
23rd-Sep-2009 08:33 am (UTC)
Based on analysis of the malicious code, it didn't do anything but a). harvest your email address and b). edit your entries to spread itself further. There's no way it could've gotten your actual password, but it may have gotten your journal's cookies (little pieces of information on your computer that identify you to LJ), which would allow whoever's behind it to pretend to be you to LJ.

The safest thing to do, if you were hit, is to go to Manage Logins, expire all your sessions, and then log back in, after you clean up your journal entries to remove the malicious code. Doing this will eliminate all possibility that someone malicious will have access to your journal. You don't need to change your password.
(Deleted comment)
(Deleted comment)
(Deleted comment)
23rd-Sep-2009 08:44 am (UTC)
Thanks so much for posting this!

I had no clue what was up and actually did a mini-rant about items being disabled on my Profile page.

It's great to know about this -- and to help spread the word!
23rd-Sep-2009 08:51 am (UTC)
It's not as urgent as it used to be, at least--it's a very recent development. The infection is contained as far as I know, but people need to know to check their latest entries, because friended entries made public with no warning can cause no end of grief!
23rd-Sep-2009 09:45 am (UTC)
Thanks!
23rd-Sep-2009 10:32 am (UTC)
I looked on my entries, with the edit-link and all, and I can't find it. But I installed "no script" on my firefox and it says it was in my journal, so I blocked it. where could it be if not inside posts? i'd like to delete it...
thanks for the help. [I have to add that I don't see Ads]

Edited at 2009-09-23 10:35 am (UTC)
(Deleted comment)
23rd-Sep-2009 11:15 am (UTC)
The Manage Logins page only shows one login for me, even though I know I'm logged in on at least three computers plus my mobile phone. Any idea why? And would manually logging out and logging back in on each of those devices help?
(Deleted comment)
23rd-Sep-2009 12:17 pm (UTC)
Is there a need to change my primary email address? What if you have the @livejournal.com email forwarding on, or if your email is hidden in your profile? Is there a way to know you're infected?
23rd-Sep-2009 03:02 pm (UTC)
Nope. If you still have access to your primary email address, you should be fine. (Sometimes people's Hotmail accounts go inactive, which then allows somebody to take over that email account and gain access to your journal through resetting your password if you were using that Hotmail account as an email address on LJ.)

The only infection occurs in entries--if you don't have the weird code put into the bottom of one of your recent LJ entries, you are fine. It doesn't infect your computer.
23rd-Sep-2009 02:39 pm (UTC)
Okay, as a completely clueless-when-it-comes-to-viruses-and-stuff-like-this Mac user I have to ask: Does this affect Macs too? (Not that I'm in much danger since I've got placeholders, Flashblock, AND NoScript activated and didn't click on any embedded content yesterday, that I can remember in any case :-)
23rd-Sep-2009 02:42 pm (UTC)
Yes, it would also affect Macs. This exploit doesn't care what operating system you use, since it only touches your browser and LJ.

-another Mac user
(Deleted comment)
23rd-Sep-2009 03:44 pm (UTC)
Thanks for these links.
23rd-Sep-2009 07:29 pm (UTC)
Knowing the server that the script sent addresses back to, is it possible to find and prosecute the culprits?

(Personally, I was never too pleased to see the embed code I pasted in my posts modified behind my back to include LJ Toys. I never knew what that was about anyway. But it clearly made a bright idea turn out to be dumb, which is so often the case).
23rd-Sep-2009 07:36 pm (UTC)
I don't know--it looks like you can set up a free trial account on the SimpleCDN service without anything like a credit card number, and even if they did require one, it could be stolen. So it might not be possible to trace them down.

In itself, embedding things in a different domain is not a dumb idea--for instance, Dreamwidth does the same thing for security reasons--but as far as I can tell from people who have been investigating, LJ's made some poor configuration decisions that made this possible.
24th-Sep-2009 12:07 am (UTC)
Please don't block access to my home live journal page by forcing me to consider guest whatever that was. If I ever want it I'll go searching through your tools and services for it. It's making it harder for me to see if anything's happened to that part of my account.

thanks, Phil
24th-Sep-2009 12:11 am (UTC)
I am confused by this request and do not quite understand what it is asking for?
24th-Sep-2009 09:34 am (UTC) - problem is for lj-toys, not with ljToys.
When I read your post, I wrote an e-mail to ljtoys.org.uk. I received the reply below. Having two utilities with almost identical names leads to confusion.

+++++++++++++++++++++++++++++++++++++

I see no problems with my posts, but others are spreading the word that ljToys has been hacked. I thought you should know about it.

Alobar

Urgent security notice: embedded content security breach

As far as known at this time, LJ has had a security breach with the embedded content domain lj-toys.com

. This breach resets the icon and metadata of your most recent post and sets the security to public, along with inserting malicious Flash content into the body of the post, within minutes of viewing an infected Flash file. Then, other people viewing that Flash content in your entry will also become infected. Because of this, embedding on LJ has been disabled, so there should be no new infections from the LiveJournal site itself. Many people's journals have already been tampered with--however, it only affects your journal, not your computer.

http://community.livejournal.com/meta_lj/567.html

++++++++++++++++++++++++++++++++++

admin@ljtoys.org.uk to me

Fortunately LJToys is nothing to do ith lj-toys.com

. We were here first (five years ago!) and those assholes copied the name. It''s been nothing but trouble and I wish I'd done something about it at the time.
24th-Sep-2009 12:42 pm (UTC) - Re: problem is for lj-toys, not with ljToys.
You're right--I was confused, too, about that when I very first heard about this, before I made this post, and I should have made it more clear when I wrote it (since some people aren't going to know the different domains, or what LJ's embedded content domain means)! It should be more obvious now, thanks.

Edited at 2009-09-24 12:43 pm (UTC)
This page was loaded Jul 24th 2017, 8:49 pm GMT.