mark: A photo of Mark kneeling on top of the Taal Volcano in the Philippines. It was a long hike. (Default)
Mark Smith ([staff profile] mark) wrote in [site community profile] dw_maintenance2009-09-23 09:18 am
  • Add Memory
  • Share This Entry

LJ web security exploit

If you use LiveJournal, you're probably aware of an exploit involving cross site Flash that was propagated over there for a little while last night (LJ news post). They've since taken steps to mitigate the issue, and are working on a permanent fix as we speak.

Some people have contacted me about Dreamwidth; this is something I should have posted about last night. We investigated both the source code of the exploit (Flash is easy to decompile) as well as the attack vector (how the exploit code works) and determined that Dreamwidth is not currently vulnerable to this attack.

I apologize for not posting about this last night. We investigated and made the determination that Dreamwidth was safe, but didn't mention it anywhere.
Flat | Top-Level Comments Only
kuwdora: Pooka - card 60, brian froud (Default)

[personal profile] kuwdora 2009-09-23 04:53 pm (UTC)(link)
*Fist bump* You are awesome.
hugh_mannity: (Default)

[personal profile] hugh_mannity 2009-09-23 05:03 pm (UTC)(link)
I'd rather not know that I'm safe than not know I'm at risk.

Thanks for all you do.
ninetydegrees: Art & Text: heart with aroace colors, "you are loved" (Default)

[personal profile] ninetydegrees 2009-09-23 05:32 pm (UTC)(link)
Thank you!
annalee: Holographic pool balls flickering in front of a sign reading "management not responsible for ball failure." (Firefly Ball Failure)

[personal profile] annalee 2009-09-23 05:46 pm (UTC)(link)
Just dropping in to say love to you guys for being on top of this and for your communication philosophy.
yohjideranged: (Cat - don't look behind you)

[personal profile] yohjideranged 2009-09-23 06:07 pm (UTC)(link)
Thank you very much for the answer!
pinesandmaples: Text only; reads "Not everything will be okay, but some things will." (Mac: Apple love)

[personal profile] pinesandmaples 2009-09-23 06:27 pm (UTC)(link)
I happened to get hit on LJ, and the first thing I did was check DW. I am so glad you guys have shored up that vulnerability.

I love feeling like this "isn't just a blog" to the Dreamwidth staffers. (I get that feeling all the time on LJ!)
archersangel: (approved)

[personal profile] archersangel 2009-09-23 08:27 pm (UTC)(link)
good to know!
princess: dreamsheep with pink crown and light pink tint (princess sheep)

[personal profile] princess 2009-09-23 08:30 pm (UTC)(link)
Thanks for posting that we're safe, and thanks for looking into it even if you forgot to post at the time!
afuna: Cat under a blanket. Text: "Cats are just little people with Fur and Fangs" (Default)

[personal profile] afuna 2009-09-24 02:06 am (UTC)(link)
<3
ieune: drawing of the capital letter H (Default)

[personal profile] ieune 2009-09-24 09:00 am (UTC)(link)
One more reason to be glad I quit LJ! Y'all rock!

[personal profile] nubriema 2009-09-24 04:46 pm (UTC)(link)
Now, believe me when I say that I certainly deleted my LJ for good now and changed the mail address before...
Seriously, I'm scared.

It's good to know that we're safe over here, but though I read the news post over on LJ now, I'm confused - can you tell what kind of "videos and other media" it is that got affected, or is that still uncertain? I'm not an expert at this, so I'm simply curious and want to know what I have to look out for and pay attention to.

<3 you guys for watching over us!
mark: A photo of Mark kneeling on top of the Taal Volcano in the Philippines. It was a long hike. (Default)

[staff profile] mark 2009-09-24 08:52 pm (UTC)(link)
It didn't affect videos and media, it's just that the exploit the attacker used was the same way you post videos and media. If you have ever posted a YouTube video, that's very similar to what the attacker did. Except instead of a YouTube video, they posted a "movie" that was a Flash file that did bad things.

[personal profile] nubriema 2009-09-25 06:09 pm (UTC)(link)
Oops, then I probably got that wrong. As I said, I'm not at all an expert at these things.

Thanks for explaining! :)
keris: Keris with guitar (Default)

[personal profile] keris 2009-09-26 10:07 am (UTC)(link)
Ah, thanks, that's a better explanation than I got from LJ. LJ's description sounded as though it was affecting real embedded videos. But even better that it doesn't afftect DW at all...
xyndarella: (Default)

[personal profile] xyndarella 2009-09-25 01:51 am (UTC)(link)
Thank you for promptly looking into this, even if the post was late. I really appreciate all that you and the DW staff do for the site. It's a nice place to be with a good atmosphere.
softestbullet: Aeryn cupping Pilot's cheek. He has his big eyes closed. (Default)

[personal profile] softestbullet 2009-09-25 05:49 pm (UTC)(link)
Thanks for letting us know!

[personal profile] jade_assassin 2009-09-26 12:54 am (UTC)(link)
Thanks for posting this ;3
ciphergoth: (Default)

[personal profile] ciphergoth 2009-09-29 09:40 pm (UTC)(link)
Did you remove the vulnerability post-fork, or did LJ add it?
mark: A photo of Mark kneeling on top of the Taal Volcano in the Philippines. It was a long hike. (Default)

[staff profile] mark 2009-09-29 09:46 pm (UTC)(link)
It's because LJ had a Flash cross domain policy file that allowed any Flash application, running on any site, to connect to LiveJournal. We don't allow any Flash application (except ones we host ourselves) connect to Dreamwidth right now.

Which, I guess, means that it's a configuration difference. We decided we didn't need this functionality yet, and did not enable it.
Flat | Top-Level Comments Only