Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Security

LiveJournal XSS Security Challenge 66

Posted by CmdrTaco from the now-thats-a-game-worth-playing dept.
Jamesday writes "LiveJournal is offering a free permanent account and possibly other prizes to those who find new vulnerabilities in its XSS Security Challenge. LiveJournal has recently been attacked via a Firefox XSS exploit."
This discussion has been archived. No new comments can be posted.

LiveJournal XSS Security Challenge More

LiveJournal XSS Security Challenge

Comments Filter:
  • Poor guys at livejournal.. You're going to slashdot their VM test box.
    • Hey, how did you know what software we were running?

      -SixApart CEO
    • Poor guys at livejournal.. You're going to slashdot their VM test box.



      Poor guys at livejournal.. We did slashdot their VM test box.
      That's what they get for giving it too little memory. Hey! At least the icon comes through!

  • I have no time for this (Score:5, Funny)

    by Steev ( 5372 ) <steve&stevedinn,com> on Tuesday January 31, 2006 @10:29AM (#14606514) Homepage
    Maybe if the prize was something useful, I might be interested. I have my hands full exploiting MySpace.
    • Maybe if the prize was something useful, I might be interested. I have my hands full exploiting MySpace.



      I was until Tom took down LOGIN for fucking repairs.
      The fucking login!!! And there are MILLIONS OF PEOPLE who use that site.
      Since things that suck are coming into fashion I'm wondering when Windows ME is going to make it's big comeback...
    • Right. I can't imagine anyone who is both (1) qualified and (2) interested in the reward.

  • Y'know... (Score:5, Interesting)

    by Grendel Drago ( 41496 ) on Tuesday January 31, 2006 @10:30AM (#14606518) Homepage
    ... this wouldn't even be necessary if they'd taken security seriously in the first place, instead of tacking it on as an afterthought, or using the "eh, we can probably trust all this user-submitted content" model.

    But still, good to see them taking it seriously. Now, instead of Bantown getting an eternal newspost declaring their victory, they'll just get permanent accounts.

    • Re:Y'know... (Score:1, Flamebait)

      by Billosaur ( 927319 ) *
      ... this wouldn't even be necessary if they'd taken security seriously in the first place, instead of tacking it on as an afterthought, or using the "eh, we can probably trust all this user-submitted content" model.

      Oh, but we can trust users, can't we? And what's with a little harmless hacking? Good for the spirit, good for the soul!

      Making software bulletproof is probably impossible. If one coder can think something up, another can devise a way to break it or exploit it. LiveJournal is going to run thei

      • Re:Y'know... (Score:4, Insightful)

        by laffer1 ( 701823 ) <luke@@@foolishgames...com> on Tuesday January 31, 2006 @11:24AM (#14606928) Homepage Journal
        What I find interesting about your comment is that you admit its probably impossible to make bulletproof software, yet you think they should rewrite it "correctly". I see comments like this all the time on slashdot and on security minded lists like bugtraq, webappsec, etc. I've yet to see anyone come up with a list or example site that is "written correctly." In the rare case someone does offer an example, its usually as bad as something I'd see in a CS class. There is like one or two input fields that have very well defined input. Anyone could write secure code for that. On the Internet, its not that easy. People want to post HTML comments, invalid HTML, 10 year old HTML, javascript they generated on some site to make a button or sig come alive. Blogging sites have two target audiences, 18-30 year olds and younger people. Most younger people would prefer to use an IM client than anything else, and occasionally older people do keep blogs. Live Journal has a better range than most sites. Most people in these target groups want to post HTML comments or at least rich formatted posts.

        I don't think people realize how complex a blogging site can be. Attempting to secure a blogging site is a real task. Live journal actually has a revenue stream and paid programmers so there is less excuse for them not to try, but succeeding is another matter. In reality, if they cut of rich content posting then their users will move on to another service or simply find a OSS product they can run themselves. Then we'll have automated attacks on those scripts. I've written a blogging site in java, and its not even close to secure. I'm in the process of rewriting the whole thing in a language I'm more familiar with. Its not an easy task.
        • I don't think people realize how complex a blogging site can be. Attempting to secure a blogging site is a real task. Live journal actually has a revenue stream and paid programmers so there is less excuse for them not to try, but succeeding is another matter.

          There is a vast difference between making a site "bulletproof" and making it work "correctly." Make no mistake, any software undertaking is not easy, but when a piece of software has to interact with the outside environment, the correct procedure is

      • Re:Y'know... (Score:2, Informative)

        by njyoder ( 164804 )
        That won't happen. About a week ago LJ change its cookie scheme. This scheme places a cookie on www.livejournal.com which is what is required to post anything and to change account settings. All journals are under some other hostname, so it is impossible to use XSS to get that www.livejournal.com (ljmastersession) cookie unless a bug in a browser breaks its own security model (that's beyond the scope of anything a a website can do though). The also use HTTPOnly cookies for MSIE, which means that none of
      • Making software bulletproof is probably impossible.

        Tell that to Dan Bernstein [wikipedia.org] or Donald Knuth [wikipedia.org].

    • Re:Y'know... (Score:2, Informative)

      by shift.red.avni ( 858445 )
      They always have taken it seriously. In fact IE LJ users have been nearly invulnerable from simple (stuff that doesn't exploit IE cross-domain vulnerabilities) XSS attacks for years, because of LJ's use of HTTPONLY cookies.

      Firefox dev's have in the past explicitly ruled out supporting HTTPONLY pretty much just because Microsoft invented it. The result is Firefox users are much more vulnerable to XSS attacks that IE users.
      • Cookies.... screw cookies, XSS is about so much more. As an example how about clipboard stealing, unfixed by Microsoft since 2002. :)
    • Funny thing about homegrown projects is that things always get tacked on. My boss says that he "has already thought of everything." I've found that to never be true. You may be perfect in every way, but the rest of the world is not.

      Stuff happens.

  • Other possible prizes: (Score:2, Interesting)

    by RandoX ( 828285 )
    Matching steel bracelets? Just because LJ encourages it doesn't make it legal. At the very least, it's probably a violation of the TOS of your ISP.
    • I LJ is giving you permission to throw what you can at them, doing so can hardly be seen as wrong in the eyes of your ISP or the law.
      • So if I were to say, "I'm tired of my life. Please use this gun and shoot me in the head." and you did, do you think you aren't going for a ride in the back of the police car? Perhaps an extreme analogy, but I highly doubt that your ISP's TOS or applicable laws have a clause for "unless they asked for it".

        • Re:Other possible prizes: (Score:5, Insightful)

          by Rob T Firefly ( 844560 ) on Tuesday January 31, 2006 @10:45AM (#14606623) Homepage Journal
          Shooting you in the head is illegal no matter what, but hacking away at a computer is only illegal if you don't have permission to do so. Otherwise, everyone who ever mplemented and tested their own security, everyone who took potshots at their own firewall, and every professional computer security tech who ever did his or her job at all, would be a criminal.
        • Yes, that's why I'm serving 25 to life for being a security consultant and there is no such thing as a penetration testing industry. Why post if you have no idea?
          • From the Time Warner Acceptable Use [timewarnercable.com] policy:

            The ISP Service may not be used to breach or attempt to breach the security, the computer, the software or the data of any person or entity, including Operator, to circumvent the user authentication features or security of any host, network or account, to use or distribute tools designed to compromise security, or to interfere with another?s use of the ISP Service through the posting or transmitting of a virus or other harmful item to deliberately overload or fl
          • "Why post if you have no idea?"

            I see that this is your first time on Slashdot. Don't worry, it takes some time to get used to how we do things here but eventually it will all make sense.

  • Why only XSS? (Score:3, Insightful)

    by Tethys_was_taken ( 813654 ) on Tuesday January 31, 2006 @10:36AM (#14606552) Homepage
    I haven't R'd TFA completely, but why only XSS? Why not put the bounty up on ANY vulnerability? Is there something special about XSS bugs that makes them more important than other vulnerabilities?

    Besides, I think putting up a bounty makes it more "legal" and will bring out more of the more-experienced White Hats into the game and make LJ that much safer...

  • possible other prizes (Score:5, Funny)

    by digitaldc ( 879047 ) * on Tuesday January 31, 2006 @10:39AM (#14606573)
    LiveJournal is offering a free permanent account and possibly other prizes

    Rumours are the other prizes include books on forming lasting interpersonal relationships, 7-day trips to Club Med, and the book 'Romance for Dummies.'
    • The fine print:

      7-day trips to Club Med

      Actually, 7-day trips for two to Club Med, but in the event that you're going alone, doing the Han Solo thing, that'll be a 14-day trip for one. With a fully loaded mini-bar in your room if you ever get tired of 'shaking hands with the wookie'.
       
    • Rumours are the other prizes include books on forming lasting interpersonal relationships, 7-day trips to Club Med, and the book 'Romance for Dummies.'

      Y'know, those that live in Slash houses shouldn't cast stones...

  • OOOh! A shiny thing! (Score:5, Funny)

    by Gothmolly ( 148874 ) on Tuesday January 31, 2006 @10:44AM (#14606615)
    A free LiveJournal account? Boy, my friends on MySpace will be so jealous!

  • hacker demographic? (Score:5, Funny)

    by revery ( 456516 ) <charles@NoSpam.cac2.net> on Tuesday January 31, 2006 @10:46AM (#14606630) Homepage
    Teenage, earth-loving, wiccan hackers unite!

    the above comment is an unfair stereotype and should be viewed with extreme suspicion

  • Excellent idea (Score:5, Funny)

    by tdvaughan ( 582870 ) on Tuesday January 31, 2006 @10:50AM (#14606658) Homepage
    Prize for proving that a product is insecure and poorly designed: the product itself!

  • Free "lifetime" account* (Score:3, Insightful)

    by metamatic ( 202216 ) on Tuesday January 31, 2006 @11:11AM (#14606837) Homepage Journal
    *Account is only "lifetime" until they decide they don't like you.
    • ...then they kill you?!

      Sheesh, these guys are much tougher than I thought. At least I only get bad karma here.

      Justin.
      • They'll kill your account [xciv.org] any time they dislike what you post. Paid member, lifetime member, whatever. No right of appeal, your accuser and judge remain anonymous, no compromise allowed.
        • Looks like there was plenty of opportunity for him to appeal and compromise:

          The Abuse team also state that my account will be reinstated if I agree to delete the comment. I remind them that I have already offered to delete the comment if either (a) the troll's account is suspended... or (b) the TOS is updated...

          Compromise means that to get what you want, you don't always get it on all of your own terms. Meta wanted his way, his terms... unfortunately for him, it's not his website!

          The whole case was one

          • But it wasn't against the TOS at the time of the event, that's the whole point. If it had been, that would have been a different matter. And I offered to delete the comment if the TOS was corrected to prohibit it.
        • Fucking great sig btw. Any ideas how we might start a campaign to get an informationally dense statement like the below that on every single blog in the world...?

          "In 1989 the PRC violently suppressed a peaceful student protest in Tiananmen Square killing hundreds"

          90-odd letters. Not bad.

          J.
          • Well, it's on my blog, along with others, in slightly longer form. I encourage others to spread the meme. Squeezing it into a Slashdot sig was tough.

  • TRANSLATION: (Score:3, Funny)

    by Anonymous Coward on Tuesday January 31, 2006 @11:16AM (#14606870)
    "We're too incompetent and lazy to fix our own stuff. Why don't you do it for us, and for cheap/free?"

  • Marketing gimmic? (Score:2, Interesting)

    by joostje ( 126457 )
    From the announcement:
    STEP 1: Go to http://www.test.dev.livejournal.org/ [livejournal.org] . Make an account. Probably need to change it to paid so you can make styles/etc.
    So to be able to help them test their security, you have to pay them? Or am I missing something?
    • I created a test account to see if they let you change status to "paid" on the test server without paying. Nope.

      • Re:Marketing gimmic? (Score:3, Informative)

        by makomk ( 752139 )
        This got +3 Informative? You see the words "change it to paid" in the instructions linked to by Slashdot? Notice that they're a link? If you click on those, you can change your account on the test server to a "paid" one without actually paying anything. The interface is a bit bare, but it works.

        BTW, the only reason I haven't figured out a way do something *really* nasty is that they seem to have totally disabled inline style markup on comments. (I've spotted some smaller holes, but if it wasn't for that
        • Ah, a magic link that the gp neglected to preserve. That makes more sense. The test server's copy of the standard account upgrade page still demands a CC#.
  • Turn ALL friends-only and private entries public, so everyone can see them. Thus rendering the "piggybackers*" obsolete, all the knives in each others backs will be totally revealed. Know those negative things you said in private about your boyfriend that he didn't know about? He would know now. ...and watch armageddon happen with a bunch of moody 19 year olds. :)

  • The Cross Site Scripting FAQ (Score:1, Informative)

    by Anonymous Coward

    The Cross Site Scripting FAQ [cgisecurity.com]
  • Timing is a wonderful thing, I'd just published a very similar issue with IE about an hour before the Firefox issue hit full disclosure: http://www.nth-dimension.org.uk/news/entry.php?e=1 56579087 [nth-dimension.org.uk]. If you run IE don't feel left out, we can run arbitrary Javascript via your style sheets too.

Slashdot Top Deals

"Ninety percent of baseball is half mental." -- Yogi Berra

Close