thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)
[personal profile] thorfinn
LJ-news: Media embedding change - important notice
DW-maintenance: LJ web security exploit

In short, LJ had a "cross site scripting hack" which infected a bunch of people's accounts. Check the LJ news post and verify you're okay if you're on LJ.

However, Dreamwidth wasn't vulnerable.

Yet another reason to Dump LJ in favour of Dreamwidth.

ETA: If you're not running some kind of flash blocker, you probably want to be.

Safari - http://apple.com/safari - http://hoyois.github.com/safariextensions/clicktoplugin/ (Was: http://rentzsch.github.com/clicktoflash/)

Firefox - http://mozilla.com/firefox - http://noscript.net/ or http://flashblock.mozdev.org/

Opera - http://opera.com/ - http://my.opera.com/Lex1/blog/index.dml/tag/Flashblock

Chrome - http://google.com/chrome - http://www.privoxy.org/ (run a local proxy) or switch to one of the above.

Internet Explorer - http://www.microsoft.com/ie - http://www.privoxy.org/ (run a local proxy) or switch to one of the above.

(no subject)

Date: 2009-09-25 10:52 (UTC)
qamar: Spiritual being with seven chakras lit and energy connecting it to the fabric of the universe. (Default)
From: [personal profile] qamar
What's the issue with flash?--Other than being annoying? :)

(no subject)

Date: 2009-09-25 21:47 (UTC)
bens_dad: (Default)
From: [personal profile] bens_dad
I think it is just another interpreted language that allows you to read a program from one web site that, when run, writes data into another site in such a way that it will be run later.
The way around this is that each program should run in a "sandbox" so that it can only interact with the site that it was loaded from. I don't know whether the flash interpreter just doesn't have a sandbox, or doesn't have one that does what is says on the tin.

(no subject)

Date: 2009-09-25 22:35 (UTC)
foxfirefey: Fox stealing an egg. (Default)
From: [personal profile] foxfirefey
The problem was that LJ had a crossdomain.xml file set up to allow any site to do that, which is apparently a big problem:

http://shiflett.org/blog/2006/sep/the-dangers-of-cross-domain-ajax-with-flash

(no subject)

Date: 2009-09-30 05:56 (UTC)
foxfirefey: Fox stealing an egg. (Default)
From: [personal profile] foxfirefey
Oh, I was keeping track of posts on Dreamwidth like I usually do (in case someone needs assistance), and this one caught my eye because it was also about that issue! But I think I've seen you about a bit, and I wouldn't be surprised if you've seen me about a bit!

Excellent!

Date: 2009-09-25 10:59 (UTC)
From: [personal profile] drjon
Mind if I swipe this post?

(no subject)

Date: 2009-09-28 01:17 (UTC)
tcpip: (Default)
From: [personal profile] tcpip
*nods* Ayup, what you said.

April 2015

S M T W T F S
   1234
567891011
12131415 161718
19202122232425
2627282930  

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags