lj_dev: Discussing The Security Changes

David Recordon (

daveman692) wrote in

lj_dev,
@ 2006-01-26 16:36:00

Discussing The Security Changes
As we announced last week in

news, we have changed the canonical URL of most journal, community, and syndicated content. We have also now changed our cookie handling as Brad previously described. In the end this means that it is much more difficult to steal a useful cookie. Our goal with our new cookie scheme is to limit the damage that can occur when your cookies do get stolen, which we're just going to assume is inevitable, as vulnerabilities have been found in all major browsers and we're quite sure new vulnerabilities will continue to be found.

Shortly before our news post last week, we became aware that it was possible to use the “-moz-binding” CSS attribute within Mozilla and Mozilla Firefox to execute arbitrary offsite JavaScript. As this attribute is designed to allow attaching an XBL transform and JavaScript to any node within the DOM, it is quite easy to use in a malicious fashion. A bug has also been filed in Mozilla's BugZilla tracker to try and address this issue. Over a year ago, we sponsored and developed a patch for Mozilla to support HTTPOnly cookies which emerged in Internet Explorer 6 and would have prevented this attack, though this patch was never included in Mozilla.

We immediately altered our cleaner to strip this attribute from entries and comments, though also realized that wasn't even half the battle. As we allow custom CSS in many of our styles, as well as the ability to link to an external stylesheet in a variety of fashions, it was quite possible to take advantage of this exploit and hijack the session cookie of any user who views your journal. As we, along with many other sites, used one cookie to authenticate a user, this cookie was quite powerful if stolen. If the user had not chosen to bind their cookie to their IP address, a malicious user could steal it, login as that user, deface the account and spam with it, as well as modify that user's style to include the exploit thus causing this problem to spread much like a virus.

Borrowing the idea from another development team within Six Apart, we decided we needed to break our cookies into three categories. One cookie would be our master cookie, this cookie would only be accessible on www.livejournal.com where we will not display untrusted content. A second cookie will be accessible on all subdomains of livejournal.com, though it only will say if you are logged in or not; it is solely for optimization. We then will issue one cookie for each journal you visit. This cookie will be only accessible on username.livejournal.com or community.livejournal.com/username as it is limited to a single journal. This cookie will only grant you the permission to read protected entries and post in the particular journal. This means that if the journal owner steals your cookie, they will be able to do nothing more than view their journal as if they are you. In the end you will have n+2 cookies, with n being the number of journals you visit.

Due to the fact that we cannot clean every external CSS stylesheet linked to every time we generate a journal page, this change is required. While it does not fully protect us from some new cross site scripting vulnerability that can be exploited via entries or comments, they are much easier to block, patch, and recover from quickly. With Mozilla deciding to allow the execution of arbitrary JavaScript via CSS, there is no other viable solution than the one we have undertaken.

We've already taken a variety of steps to further protect your account such as we've implemented a page where you can see all of your login session, now require your password to change your email address, and now send secure password reset emails. We also are planning future improvements, especially related to external CSS stylesheets, and hope everyone realizes the amount of attention we place on the security of every account. We're more than happy to answer any questions you have in regards to the changes we've made over the past week, though also hope it is understood that we are limited in what information we can share when actively dealing with a situation such as this.

Page 1 of 2
<<	[1] [2]	>>

(Post a new comment)

	dkogan 2006-01-27 12:50 am UTC (link)
	There's an extension noscript for Firefox which can be used to filter what scripts you allow to run where (so you can allow www.livejournal.com, but not a script loaded from www.hackers-r-us.com trying to load from within an LJ page). Not sure if that includes the sort of scenario described here, though. Looks like kind of a bleak scenario going on here. (Reply to this) (Thread)

	duskwuff 2006-01-27 12:58 am UTC (link)
	That won't protect you from a script injected into LJ's HTML (in an inline style or in an event handler), though. (Reply to this) (Parent)(Thread)(Expand)

	trulybloom 2006-01-27 01:03 am UTC (link)
	I appreciate your diligence with security issues. In this post, you specifically mention Mozilla, Mozilla Firefox, and Internet Explorer 6 - you also said, "as vulnerabilities have been found in all major browsers." What other browsers are you looking at for possible security issues? Opera, perhaps? (Reply to this) (Thread)

	daveman692 2006-01-27 01:05 am UTC (link)
	This specific issue is related to Mozilla and Mozilla FireFox, though all major browsers have had their share of vulnerabilities at one point or another. (Reply to this) (Parent)(Thread)(Expand)

	wcu 2006-01-27 01:08 am UTC (link)
	Hi David, I was wondering if you could please elaborate on the state of the lol.. Thank you, Jason (Reply to this) (Thread)

	irishmc 2006-01-27 02:33 am UTC (link)
	troll (Reply to this) (Parent)(Thread)(Expand)

	daveman692 2006-01-27 01:25 am UTC (link)
	Do you know which browsers don't respect path security? (Reply to this) (Parent)(Thread)(Expand)

	neugotik 2006-01-27 01:28 am UTC (link)
	It'll be great when we can close out open sessions - that will really help if/when we see one open at an IP we don't want open (but we might not _be_ at) - nice work! Thanks for closing up those loopholes: I use Firefox more & more on both my work PC & home Mac. I appreciate that you are closing these security issues up for Mozilla/Firefox. (Reply to this) (Thread)(Expand)

	vanbeast 2006-01-27 01:38 am UTC (link)
	It's not quite what you're looking for, but at http://www.livejournal.com/logout.bml, you can kill all your sessions. Better than nothin', I suppose. (Reply to this) (Parent)(Thread)(Expand)

	nikolasco 2006-01-27 01:49 am UTC (link)
	Could you please kill, relocate, or fix customview.cgi . It runs on www.livejournal.com thereby circumventing the entire cookie dance. (Reply to this) (Thread)

	the_kestral 2006-01-27 01:52 am UTC (link)
	have these changes caused a problem with the mobile lj use? I was able to log in the other day but I cant seem to read any of my friend's posts from my mobile. (Reply to this) (Thread)

	daveman692 2006-01-27 02:30 am UTC (link)
	Any mobile problems should now be fixed. Please open a support request if you're still running into an issue. (Reply to this) (Parent)(Thread)(Expand)

	thehumangame 2006-01-27 03:00 am UTC (link)
	Hrm. Any plans to let us include javascript code in our custom S2 styles now that this increased security has been implemented, or is this just a second layer of protection against vulnerabilities? (Reply to this) (Thread)

	gameboyguy13 2006-01-29 12:03 pm UTC (link)
	The Support Area is a better place to ask this question. (Reply to this) (Parent)

	lost_cosmos 2006-01-29 01:17 pm UTC (link)
	And I'll get no replies there or get someone who thinks they know everything about LJ telling me some FAQ b.s. As far as I am concerned the Support Area doesn't work, hence why I made a comment here, as little as it fits really. This goes directly to a member of LJ and I am hoping for a reply from someone directly involved with LJ. (Reply to this) (Thread)

	agloriousday 2006-02-10 09:27 pm UTC (link)
	you are an idiot. (Reply to this) (Parent)(Thread)(Expand)

	jameth 2006-01-31 12:32 am UTC (link)
	I would like to state for the record that I am innocent and I was in Central America without any Internet access while this all went down. kthx (Reply to this)

	lintak 2006-01-31 06:30 am UTC (link)
	I checked my logins and I see they started on Jan 24th. I have a long list of my logins, will they ever disappear? Or will they stay on that page forever? (Reply to this)

	arricc 2006-01-31 02:02 pm UTC (link)
	It would be nice to have that logins page visible somewhere on the menu. (Reply to this)

	mjb 2006-02-03 05:58 am UTC (link)
	It sounds like HTTP proxy problems. Perhaps your HTTP traffic is being filtered by some software that is "protecting" you a bit too much? (Reply to this) (Parent)

	syarzhuk 2006-02-08 07:18 pm UTC (link)
	Something (I assume the change in cookies/domains) hides friends-only entries in other users' friendlist that should be visible to me. This entry: http://syarzhuk.livejournal.com/395076.html should be visible to me and all my friends. andryuha and I are mutual friends. However, when I view his friendlist http://andryuha.livejournal.com/friends , I don't see it there. (Reply to this)

	bigturtle 2006-02-09 05:54 am UTC (link)
	Why are you still talking about cookies if you are embedding lj_form_auth into the "submit" page? Cookies cannot serve as a security device, at least, it is so since emergence of JavaScript. (Reply to this)

About

Help

Get Involved

Legal

Store

LJ Labs

	goffchick 2006-02-10 12:31 am UTC (link)
	At least now I know why my CSS got wiped. I just don't have any idea what I used that was considered "dangerous" to get it wiped in the first place, since I entirely used pretty basic CSS, and all of it local- no moz-anything; displays, backgrounds, colors, borders, fonts, positions, margins, yes. (Reply to this)

Username:		Create an Account Forgot your login or password? Login w/ OpenID
Password:
	Remember Me
	English • Español • Deutsch • Русский…