LiveJournal Needs To Tighten Security

Hmm… as part of my ongoing work with Abnib v3.0, I’ve noticed a couple of interesting little quirks in the way that LiveJournal handles security for “friends only” and “private” posts. In fact, I’m pretty sure I’ve found a way to – for any given user – produce a list of the times, dates, and URLs of all posts made by anybody – even ones to which I don’t have access. Not terribly disturbing news, as I still can’t get access to the content of the posts or even the comments to them, but it’s an “opening” – a “way in” – which could potentially lead to a full-blown exploit.

For example, I can tell you that there is a post on Andy’s blog that I’m not allowed to read, that he wrote on the 17th of Januaryat about quarter past four in the afternoon (I hope you don’t mind me using you as my “guinea pig”, Andy – you’re the first person I came to who had a “recent” private post).

The numbers near the end of LiveJournal post URLs are supposed to be semi-random to prevent people from just “guessing” their way to posts, but it turns out this isn’t necessary. I’ve e-mailed LiveJournal to try to explain their flaw to them, but as I can’t be arsed to debug it myself (hey: not my weblog at risk, here), I don’t know yet how much of a priority they’ll make it.

Ho hum.

Edit: Further investigations have revealed that I can easily get the title (but not the content or the comments) of any LiveJournal post, including protected ones. For obvious reasons, I’ve now stopped using my friends’ weblogs as testbeds, and I’ve set up a couple of “play” accounts to try things out with. I wonder if I can get the content of posts? That’d be an interesting challenge.

5 comments

  1. erm… I don’t mind really. seeing as that post was just a draft e-mail that I thought I was going to lose cos of Siân’s fucked up ‘puter.

    but erm… don’t do it again!

    I don’t know exactly how you’ve figured this out but I noticed that a person’s LJ calendar lists the number of posts made on a given day, whether they’re private/friends or what. that’s got to be worth sorting out too.

  2. Just in case you’re interested, here’s the latest post by The Ferrett, who I think I’ve mentioned before.

    Looks vaguely like your sort of thing…

  3. Dan Q Dan Q says:

    Aye; had already read that. =o)

  4. Musouka Musouka says:

    I am curious how this is possible. What method are you using to find out about these private entries? Is it the old xss exploit?

    Thank you

  5. Dan Q Dan Q says:

    Nah; most of the XSS possibilities I’ve seen are well-plugged (I’ve helped sort a couple of them). This exploit, which I believe is still open, is a fault in the interpretation of “private” by some parts of their codebase.

    For a quick start, go to a public by somebody using the basic template and use the “forward” or “back” arrows to skip to a later or earlier post (of course, this can be done again with well-crafted URLs and, ideally, a script – I knocked up a quick Ruby one to help) until you find one which you don’t have access to. Then, use the “add to memories” function (you’ll have to have remembered the way these URLs work, too), and check your memories to get the title of the post.

    If you want more, there’s a little more exploration to do. Hopefully LJ will fix it soon.

Reply here

Your email address will not be published. Required fields are marked *

Reply on your own site

Reply by email

I'd love to hear what you think. Send an email to b894@danq.me; be sure to let me know if you're happy for your comment to appear on the Web!