Skittish Eclipse (foxfirefey) wrote in meta_lj,
Skittish Eclipse
foxfirefey
meta_lj

Urgent security notice: embedded content security breach

As far as known at this time, LJ has had a security breach with the embedded content domain lj-toys.com (not to be confused with the third party domain, ljtoys.org.uk). This breach resets the icon and metadata of your most recent post and sets the security to public, along with inserting malicious Flash content into the body of the post, within minutes of viewing an infected Flash file. Then, other people viewing that Flash content in your entry will also become infected. Because of this, embedding on LJ has been disabled, so there should be no new infections from the LiveJournal site itself. Many people's journals have already been tampered with--however, it only affects your journal, not your computer.

You should check your latest journal entries using this page. Affected entries will contain blocks of embedded Flash at the end. Depending on your LJ usage patterns, you may have more than one recent entry affected. Remove the added code (and reset your metadata, icon and post security if wanted).

Here is an example of the code inserted into posts (with all links redacted; this example linked to a .swf on e1h5.simplecdn.net):

<lj-embed id="26">
<object width="1" height="1"><param name="movie" value="LINKTOBADFLASH"></param><param name="wmode" value="transparent"></param><param name="allowScriptAccess" value="always"></param><embed src="LINKTOBADFLASH" type="application/x-shockwave-flash" width="1" height="1" wmode="transparent"></embed></object> </lj-embed><lj-embed id="27">
<object width="1" height="1"><param name="movie" value="LINKTOBADFLASH"></param><param name="wmode" value="transparent"></param><param name="allowScriptAccess" value="always"></param><embed src="LINKTOBADFLASH" type="application/x-shockwave-flash" width="1" height="1" wmode="transparent"></embed></object> </lj-embed><lj-embed id="28">
<object width="1" height="1"><param name="movie" value="LINKTOBADFLASH"></param><param name="wmode" value="transparent"></param><param name="allowScriptAccess" value="always"></param><embed src="LINKTOBADFLASH" type="application/x-shockwave-flash" width="1" height="1" wmode="transparent"></embed></object> </lj-embed><lj-embed id="29">
<object width="1" height="1"><param name="movie" value="LINKTOBADFLASH"></param><param name="wmode" value="transparent"></param><param name="allowScriptAccess" value="always"></param><embed src="LINKTOBADFLASH" type="application/x-shockwave-flash" width="1" height="1" wmode="transparent"></embed></object>
</lj-embed>


Further information will be added to this post as it comes in. It's not reported to be stealing cookies; however, you would not be amiss to expire all your current login sessions and log back in. Content placeholders and the use of Flashblock and NoScript are currently highly recommended--block the lj-toys.com domain (that domain should be okay now). (Other LJ security concerns can also be mitigated with NoScript: Ads shown on LiveJournal can occasionally carry malware. Sometimes spam bot accounts spread malicious links in posts or comments; in some cases, accounts have been hijacked and their entries replaced with a misleading post saying they had moved with a link to malware. You can see a report on LJ's safety at Google Safebrowsing.)

Based on the disassembled code, it appears to also harvest your primary email address.

LJ will update the lj_releases community when they have more information. As far as known at this time, LJ clones such as InsaneJournal and Deadjournal and LJ forks such as Dreamwidth are not affected. This security breach is not related to the recent code release, or the Your Journal - Your Money program.

Feel free to spread this post around to help notify others.

ETA 12:57AM PST: YouTube embedding appears to have been reenabled.
ETA 7:25AM PST: lj_releases post done earlier in the night.
ETA 7:53AM PST: news post with good summary and explanation made earlier this morning
ETA 5:40AM PST 9/24: Clarified distinction between lj-toys.com and ljtoys.org.uk.
Tags: breaking news
Subscribe

  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your IP address will be recorded 

  • 63 comments