![[info]](http://l-stat.livejournal.com/img/userinfo.gif?v=92.2){kind=small}
You should check your latest journal entries using this page. Affected entries will contain blocks of embedded Flash at the end. Depending on your LJ usage patterns, you may have more than one recent entry affected. Remove the added code (and reset your metadata, icon and post security if wanted).
Here is an example of the code inserted into posts (with all links redacted; this example linked to a .swf on e1h5.simplecdn.net):
<lj-embed id="26">
<object width="1" height="1"><param name="movie" value="LINKTOBADFLASH"></param><param name="wmode" value="transparent"></param><param name="allowScriptAccess" value="always"></param><embed src="LINKTOBADFLASH" type="application/x-shockwave-flash" width="1" height="1" wmode="transparent"></embed></object> </lj-embed><lj-embed id="27">
<object width="1" height="1"><param name="movie" value="LINKTOBADFLASH"></param><param name="wmode" value="transparent"></param><param name="allowScriptAccess" value="always"></param><embed src="LINKTOBADFLASH" type="application/x-shockwave-flash" width="1" height="1" wmode="transparent"></embed></object> </lj-embed><lj-embed id="28">
<object width="1" height="1"><param name="movie" value="LINKTOBADFLASH"></param><param name="wmode" value="transparent"></param><param name="allowScriptAccess" value="always"></param><embed src="LINKTOBADFLASH" type="application/x-shockwave-flash" width="1" height="1" wmode="transparent"></embed></object> </lj-embed><lj-embed id="29">
<object width="1" height="1"><param name="movie" value="LINKTOBADFLASH"></param><param name="wmode" value="transparent"></param><param name="allowScriptAccess" value="always"></param><embed src="LINKTOBADFLASH" type="application/x-shockwave-flash" width="1" height="1" wmode="transparent"></embed></object>
</lj-embed>
Further information will be added to this post as it comes in. It's not reported to be stealing cookies; however, you would not be amiss to expire all your current login sessions and log back in. Content placeholders and the use of Flashblock and NoScript are currently highly recommended
Based on the disassembled code, it appears to also harvest your primary email address.
LJ will update the
![[info]](http://l-stat.livejournal.com/img/community.gif?v=92.2){kind=small}
lj_releases community when they have more information. As far as known at this time, LJ clones such as InsaneJournal and Deadjournal and LJ forks such as Dreamwidth are not affected. This security breach is not related to the recent code release, or the Your Journal - Your Money program.Feel free to spread this post around to help notify others.
ETA 12:57AM PST: YouTube embedding appears to have been reenabled.
ETA 7:25AM PST: lj_releases post done earlier in the night.
ETA 7:53AM PST: news post with good summary and explanation made earlier this morning
ETA 5:40AM PST 9/24: Clarified distinction between lj-toys.com and ljtoys.org.uk.
September 23 2009, 07:20:34 UTC 2 years ago
<lj-embed id="61" /><lj-embed id="62" /><lj-embed id="63" /><lj-embed id="64" />.
And when I edited the entry, something about simplecdn. Your embed ids will differ, obviously.
September 23 2009, 07:24:31 UTC 2 years ago
September 23 2009, 08:01:36 UTC 2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
September 23 2009, 07:36:48 UTC 2 years ago
September 23 2009, 07:38:36 UTC 2 years ago
2 years ago
September 23 2009, 08:00:37 UTC 2 years ago
September 23 2009, 08:33:37 UTC 2 years ago
The safest thing to do, if you were hit, is to go to Manage Logins, expire all your sessions, and then log back in, after you clean up your journal entries to remove the malicious code. Doing this will eliminate all possibility that someone malicious will have access to your journal. You don't need to change your password.
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
2 years ago
September 23 2009, 08:44:01 UTC 2 years ago
I had no clue what was up and actually did a mini-rant about items being disabled on my Profile page.
It's great to know about this -- and to help spread the word!
September 23 2009, 08:51:55 UTC 2 years ago
2 years ago
September 23 2009, 09:30:54 UTC 2 years ago
September 23 2009, 09:45:57 UTC 2 years ago
September 23 2009, 10:32:09 UTC 2 years ago Edited: September 23 2009, 10:35:06 UTC
thanks for the help. [I have to add that I don't see Ads]
September 23 2009, 10:41:54 UTC 2 years ago Edited: September 23 2009, 10:42:50 UTC
ETA: Oh actually, sorry I missed the part where noscript said something was in your journal. Do you know what URL, specifically, it was warning you about?
2 years ago
2 years ago
2 years ago
September 23 2009, 11:15:06 UTC 2 years ago
September 23 2009, 11:18:32 UTC 2 years ago
September 23 2009, 12:17:50 UTC 2 years ago
September 23 2009, 15:02:47 UTC 2 years ago
The only infection occurs in entries--if you don't have the weird code put into the bottom of one of your recent LJ entries, you are fine. It doesn't infect your computer.
2 years ago
September 23 2009, 14:39:39 UTC 2 years ago
September 23 2009, 14:42:44 UTC 2 years ago
-another Mac user
2 years ago
2 years ago
September 23 2009, 15:21:44 UTC 2 years ago
September 23 2009, 15:44:09 UTC 2 years ago
September 23 2009, 19:29:05 UTC 2 years ago
(Personally, I was never too pleased to see the embed code I pasted in my posts modified behind my back to include LJ Toys. I never knew what that was about anyway. But it clearly made a bright idea turn out to be dumb, which is so often the case).
September 23 2009, 19:36:09 UTC 2 years ago
In itself, embedding things in a different domain is not a dumb idea--for instance, Dreamwidth does the same thing for security reasons--but as far as I can tell from people who have been investigating, LJ's made some poor configuration decisions that made this possible.
2 years ago
2 years ago
2 years ago
September 24 2009, 00:07:44 UTC 2 years ago
thanks, Phil
September 24 2009, 00:11:38 UTC 2 years ago
2 years ago
2 years ago
September 24 2009, 09:34:04 UTC 2 years ago
problem is for lj-toys, not with ljToys.
When I read your post, I wrote an e-mail to ljtoys.org.uk. I received the reply below. Having two utilities with almost identical names leads to confusion.+++++++++++++++++++++++++++++++++++++
I see no problems with my posts, but others are spreading the word that ljToys has been hacked. I thought you should know about it.
Alobar
Urgent security notice: embedded content security breach
As far as known at this time, LJ has had a security breach with the embedded content domain lj-toys.com
. This breach resets the icon and metadata of your most recent post and sets the security to public, along with inserting malicious Flash content into the body of the post, within minutes of viewing an infected Flash file. Then, other people viewing that Flash content in your entry will also become infected. Because of this, embedding on LJ has been disabled, so there should be no new infections from the LiveJournal site itself. Many people's journals have already been tampered with--however, it only affects your journal, not your computer.
http://community.livejournal.com/meta_l
++++++++++++++++++++++++++++++++++
admin@ljtoys.org.uk to me
Fortunately LJToys is nothing to do ith lj-toys.com
. We were here first (five years ago!) and those assholes copied the name. It''s been nothing but trouble and I wish I'd done something about it at the time.
September 24 2009, 12:42:13 UTC 2 years ago Edited: September 24 2009, 12:43:24 UTC
Re: problem is for lj-toys, not with ljToys.
You're right--I was confused, too, about that when I very first heard about this, before I made this post, and I should have made it more clear when I wrote it (since some people aren't going to know the different domains, or what LJ's embedded content domain means)! It should be more obvious now, thanks.