Security again, LJ vs DW

[thorfinn]

LJ-news: Media embedding change - important notice
DW-maintenance: LJ web security exploit

In short, LJ had a "cross site scripting hack" which infected a bunch of people's accounts. Check the LJ news post and verify you're okay if you're on LJ.

However, Dreamwidth wasn't vulnerable.

Yet another reason to Dump LJ in favour of Dreamwidth.

ETA: If you're not running some kind of flash blocker, you probably want to be.

Safari - http://apple.com/safari - http://hoyois.github.com/safariextensions/clicktoplugin/ (Was: http://rentzsch.github.com/clicktoflash/)

Firefox - http://mozilla.com/firefox - http://noscript.net/ or http://flashblock.mozdev.org/

Opera - http://opera.com/ - http://my.opera.com/Lex1/blog/index.dml/tag/Flashblock

Chrome - http://google.com/chrome - http://www.privoxy.org/ (run a local proxy) or switch to one of the above.

Internet Explorer - http://www.microsoft.com/ie - http://www.privoxy.org/ (run a local proxy) or switch to one of the above.

Comments

[foxfirefey]

The problem was that LJ had a crossdomain.xml file set up to allow any site to do that, which is apparently a big problem:

http://shiflett.org/blog/2006/sep/the-dangers-of-cross-domain-ajax-with-flash

[thorfinn]

Yech. Yeah, LJ seem to be dropping the ball massively on a lot of things.

Hi, BTW. :-) Do I know you from elsewhere, or were you just tracking this issue and found this post?

[foxfirefey]

Oh, I was keeping track of posts on Dreamwidth like I usually do (in case someone needs assistance), and this one caught my eye because it was also about that issue! But I think I've seen you about a bit, and I wouldn't be surprised if you've seen me about a bit!