eruthros: Aang from Avatar:TLA facepalming (Avatar - facepalming aang)
eruthros ([personal profile] eruthros) wrote2011-10-26 04:55 pm
Entry tags:

lj security-related PSA

I know a lot of y'all don't use lj, but in case you do, there seems to be a bug that caused (is causing?) a security/privacy breach: multiple people have reported that when they try to edit their own entries/profile/inbox, they are taken to another random user's edit entries/profile/inbox page, and can see all of that user's flocked and private entries. Basically, the system seems to think that they're logged in as another user. Here are some of the early bug reports from last night:

cocanuts reports the logged-in-as-another-user bug
itsaserket reports the logged-in-as-another-user bug
rachelmanija reports the same bug (and also reports that it stopped happening to her) (ETA: she expanded on what the bug looked like in comments here)
nix_this reports the same bug (with other details in nix_this's lj)
kazzisato reports the same bug

... but there are a ton of comments on the lj releases post now; those are just the first reports of the problem that I saw. LJ staff have not yet commented to my knowledge, so all that there is so far is a series of bug reports - nobody seems to know the extent or scale of the problem, whether it was a temporary glitch that has already been fixed or whether it's ongoing, or basically any other details. I haven't seen any bug reports from users who noticed unauthorized access of their journals - just from people who noticed being logged in as someone else.

There's also an overview post about this lj bug at unfunnybusiness. There don't seem to be any suggestions for fixes yet, but the lj release entry for their recent code release has 800+ comments and is growing, and I haven't looked at everything. I haven't seen any reports on why it's happening, but some folks are suggesting that it might be related to an (unannounced) change in handling cookies that has also affected plugins like LJ Login and dreamwidth's comment importing.

Unfortunately, while you can tell pretty easily if you have access to the wrong journal (click edit entries, see what happens, if something goes wrong log out and log back in), so far there's no way to tell if anyone else has access to yours. Will ETA if I learn more.

ETA1: I haven't seen any bug reports from people who experienced the bug after mid-morning today UTC (but I could have just missed them) - if you know of any, please let me know and I'll ETA again. Now I've seen some more recent reports, so it hasn't stopped happening. I have also seen people reporting that it's no longer happening to them, though - [personal profile] rachelmanija, linked above, and [personal profile] wendelah1 in comments here.

ETA2: [livejournal.com profile] fallacy_angel took a screencap of the journal they were temporarily logged into; see also their comment at lj releases.

ETA3: Strike ETA1; I think [journalfen.net profile] dapperdinosaur is reporting the bug shortly after it happened to them, which makes a bug report from about 4:00 am UTC on the 27th.

ETA4: [personal profile] lorax experienced the bug at about 3:15 pm UTC on the 26th, and wrote up an detailed report of what the bug looked like plus some notes about lj's response.

ETA5: In the comments here, [personal profile] silveraspen describes the response to their pm to a site staffer (at 2:46 pm UTC on the 27th) which suggested that info was going to go up at [livejournal.com profile] lj_maintenance soonish.

ETA6: There's a new lj maintenance post that describes the problem: they're saying that it didn't allow people to edit other users' pages, just view them, so it wasn't a security risk. (This is one of the times when I facepalm about lj's communication - site security vs security of people's info would maybe have been a good thing to mention there.) They also describe it as a bug that lasted for only three minutes - while it's true that most of the bug reports I saw were clustered around the same time period, I've also seen a couple more recent reports, so that seems ... unlikely.

ETA7: Make that a really recent one - here's [livejournal.com profile] snailbones's report of the problem happening after that lj maintenance post was made.

ETA8: This is the first instance I've seen of someone saying that they actually did something with the account they were logged into (I think - it's somewhat confusingly worded, so definitely grain of salt here), plus some discussion of how long the problem was happening: [livejournal.com profile] misstiajournal's comment at the lj maintenance post.

ETA9: [livejournal.com profile] moropus also reports that they accidentally commented as another user when they experienced the bug (note that the comment also has anti-Russian sentiment)

ETA10: [personal profile] siljamus talks about things to do to minimize the risk of this happening to your journal, which mostly involve logging out of all of your livejournal login sessions, and then not logging back in at all (which includes not crossposting from dw).

ETA11: I haven't seen a live report of the bug since [personal profile] snailbones's, linked above, at 9:38 pm UTC on the 27th. Anyone else seen anything? Yup, other people have seen something - see ETA14.

ETA12: LJ mentioned the problem in passing in their most recent lj news update; many of the comments are angry about the in-passing remark, wording, challenge the details, etc.

ETA13: [personal profile] rachelmanija describes what the bug looked like (what she could see, how long it lasted).

ETA14: strike ETA11; [personal profile] majoline reports seeing the bug (or a different bug?) at about 3:30 pm UTC on 10/29. This bug report is different, though - they were taken to the edit entries page of a journal entry they clicked on, not to a random journal. No word on whether they could do anything on that page. [personal profile] majoline commented to say that the buttons were grayed out and couldn't be clicked on.

ETA15: It turns out that anyone can see anyone else's edit-entry page for a public post by putting in their username and the number of the entry; it only works for public posts, and it grays out the boxes and nothing can be clicked on. So a misdirected link could send someone there, and so could I if I manually entered it, and etc. [personal profile] darkspirited1 and [personal profile] xenotaku have been figuring out the parameters of how this works in a comment thread. The existence of this weird UI is irritating, because it means that the cache error(?) bug and this thing might be described in the same way by a user. The important differences seem to be that in the cache error, someone appeared to be logged in as someone else, so the edit entry page would appear normally but with someone else's data (buttons appeared pushable, someone else's username and icon, etc), whereas in this edit entry page looks weird and unusuable (buttons and text greyed out, at the top it looks like you're trying to edit a post in a community: [yourusername] in community [otherjournalname]).

ETA16 I just saw another new bug report on lj maintenance of something weird that looks a bit like the original bug circa 4:53 pm UTC 10/29. Their comment with screencaps got marked suspicious, but since the comment was emailed to me I saw the screencap, and they said I could link it here: screencap of the post entries page as [livejournal.com profile] snowsoftsong. It looks like the post entries page as if someone else was viewing it - there was no "in community..." or anything and the entry page wasn't greyed out - except that the username was [livejournal.com profile] snowsoftsong, and the original poster of that post was alwaystheheart in a different comm. So: WEIRD.

(Almost) everything I've linked to in this post is a single user's bug report or description of their issues - I have no way of checking the veracity of anyone's comments.
monanotlisa: Steve Rogers jumping down against a bright blue sky with clouds, his shield centering the eye. (Default)

[personal profile] monanotlisa 2011-10-26 09:15 pm (UTC)(link)
Urgh, that is NOT OF THE GOOD. :/ Thanks for telling us.
meloukhia: A cat, looking extremely guilty, peering out of a pile of fabric (Shifty Cat)

[personal profile] meloukhia 2011-10-26 09:21 pm (UTC)(link)
EEEEK.
such_heights: amy and rory looking at a pile of post (Default)

[personal profile] such_heights 2011-10-26 09:26 pm (UTC)(link)
ugh DDD: Thanks for the info!
glass_icarus: (avatar: appa hiding)

[personal profile] glass_icarus 2011-10-26 10:12 pm (UTC)(link)
... eep! Thanks for the heads-up!
coffeeandink: (Default)

[personal profile] coffeeandink 2011-10-26 11:24 pm (UTC)(link)
Thanks for the heads up.
paian: A stargate viewed at an angle, caption 'A thousand tales' (Default)

[personal profile] paian 2011-10-26 11:42 pm (UTC)(link)
Thank you!
ratcreature: RL? What RL? RatCreature is a net addict.  (what rl?)

[personal profile] ratcreature 2011-10-26 11:57 pm (UTC)(link)
Do you see the other people who accidentally had access in your login-session history page?

(no subject)

[personal profile] ratcreature - 2011-10-27 01:06 (UTC) - Expand

(no subject)

[personal profile] ratcreature - 2011-10-27 09:04 (UTC) - Expand
wendelah1: Scully looking ethereal (Default)

Thank you

[personal profile] wendelah1 2011-10-27 12:51 am (UTC)(link)
This happened to me yesterday. I put in a support request today because now when I try to edit a post, I get logged out, over and over again. I can't preview a post either, if I do, I get logged out.
tessercat: green characters scrolling on black background, like in the Matrix (code)

[personal profile] tessercat 2011-10-27 12:52 am (UTC)(link)
FWIW, I am not currently experiencing this behaviour on LJ. Editing profile/entries/inbox takes me to my own account.

(no subject)

[personal profile] tessercat - 2011-10-27 01:08 (UTC) - Expand

(no subject)

[personal profile] mm_writes - 2011-10-27 04:05 (UTC) - Expand

(no subject)

[personal profile] xenotaku - 2011-10-27 16:43 (UTC) - Expand

(no subject)

[personal profile] mm_writes - 2011-10-28 03:10 (UTC) - Expand
florahart: (twins-gah!)

[personal profile] florahart 2011-10-27 01:01 am (UTC)(link)
Maybe we should all post a privatelocked entry (should be vis only to self) that says "HEY If you are not me and you see this, pls to let me know because this is a bug and it might be useful to help track the problem down"?

Also, ew. D:
boundbooks: An image of deep space, with a cluster of blue and white stars in the lower right hand corner. (stars: blue swirl)

[personal profile] boundbooks 2011-10-27 04:46 am (UTC)(link)
Just wanted to let you know, since a lot of people (including myself!) are linking to this, that it appears to sill be a live bug according to a new comment on journalfen

"I just logged into LJ and ended up looking at some random Russian journal entries." @ 2011-10-27 04:01 am UTC

http://www.journalfen.net/community/unfunnybusiness/324593.html?thread=21136369#t21136369

(no subject)

[personal profile] boundbooks - 2011-10-27 04:51 (UTC) - Expand
chagrined: Marvel comics: zombie!Spider-Man, holding playing cards, saying "Brains?" (brains?)

[personal profile] chagrined 2011-10-27 07:04 am (UTC)(link)
After reading all this stuff now I decided to temporarily delete my LJ until this is addressed. I figure at least that way ppl gaining access to my account won't be able to see my entries and whatnot? I suppose they could always go and undelete and thus gain access, so this only protects against like, a mostly decent person taking a peek or something. If someone who intends malice gains access it wouldn't do much.
ironed_orchid: pin up girl reading kant (Default)

[personal profile] ironed_orchid 2011-10-27 08:06 am (UTC)(link)
Thanks for the round up. I've linked to it in my post.
lea_hazel: The outlook is somewhat dismal (Feel: Crash and Burn)

[personal profile] lea_hazel 2011-10-27 09:12 am (UTC)(link)
Ugh. This is all the incentive I needed for a much belated deleting and changing of passwords. Thanks for posting this, it's very useful.
lorax: Jon is Confused By Your Crazy (DS/TCR - Jon "Crazy Confuses Me")

[personal profile] lorax 2011-10-27 11:23 am (UTC)(link)
Here via [personal profile] boundbooks, and I linked your post in mine, hope that's okay.

The bug hit me yesterday, at around 3:15 pm, UTC on the 16th. I haven't had it happen since.

I've been boggling about the lack of official response since it happened.
Edited (HTML fail.) 2011-10-27 11:24 (UTC)
silveraspen: silver trees against a blue sky background (Default)

[personal profile] silveraspen 2011-10-27 03:25 pm (UTC)(link)
Here via link from [personal profile] newredshoes.

Haven't experienced the bug myself (although who knows if anyone else has accessed my account), but I did send messages to a number of LJ staff identified through official account posting, filed a support request, etc.

As of 8:46 am Mountain time today (not sure of the UTC conversion) I received a response from 1 staffer, who said that they were "sorry for all the confusion," and didn't have authority to make an official statement, but "one is expected to be posted in lj_maintenance."

None yet as far as I can tell. I guess we'll see.

FWIW.

(no subject)

[personal profile] silveraspen - 2011-10-27 15:47 (UTC) - Expand

[personal profile] loveglamour 2011-10-27 04:27 pm (UTC)(link)
TY for telling me. I havent had problems YET.
kore: (Default)

[personal profile] kore 2011-10-27 05:35 pm (UTC)(link)
Thank you for posting this (I deleted my LJ temporarily, like so many other people). Scary.
shyfoxling: fox in a witch's hat and Ravenclaw colors scarf with a wand and shiny swirly bits (Default)

[personal profile] shyfoxling 2011-10-27 07:08 pm (UTC)(link)
Me too. When I edited the profile on my other journal yesterday, when I pressed "Save Changes", rather than the success-what-do-you-want-to-do-now page, I was returned to editing mode with someone else's profile in front of me. Basically being treated as logged in as someone else, as others have noted. I cannot imagine what they must have done to cookie processing to get wires all crossed up like that.
xenotaku: Omi from Weiss Kreuz (Omi | Goggles)

[personal profile] xenotaku 2011-10-27 07:57 pm (UTC)(link)
Major new update: http://lj-maintenance.livejournal.com/131843.html

TL;DR - We didn't say anything because we wanted to figure out what was going on first. We're listening and we promise to do better in the future.

(no subject)

[personal profile] xenotaku - 2011-10-27 20:13 (UTC) - Expand
rydra_wong: Lee Miller photo showing two women wearing metal fire masks in England during WWII. (Default)

[personal profile] rydra_wong 2011-10-27 08:03 pm (UTC)(link)
http://lj-maintenance.livejournal.com/131843.html

Apparently the bug didn't allow people to edit other people's entries. But LJ are also claiming that it only happened for 3 minutes, so. Oh, and being able to see someone else's private entries has "no effect on security".

ETA: Whoops, beaten to it.
Edited 2011-10-27 20:03 (UTC)
brewsternorth: Electric-blue stylized teapot, captioned "Brewster North". (Default)

[personal profile] brewsternorth 2011-10-27 08:30 pm (UTC)(link)
Thanks for staying on top of this! (Phew.)
xenotaku: Hihara from La Corda d'Oro (Hihara | Maneki Neko)

[personal profile] xenotaku 2011-10-27 09:49 pm (UTC)(link)
The problem is apparently not fixed, someone's reporting here that they're still getting routed into other accounts.
happydork: A graph-theoretic tree in the shape of a dog, with the caption "Tree (with bark)" (Default)

[personal profile] happydork 2011-10-27 10:04 pm (UTC)(link)
*sighs, deletes LJ* Thanks for keeping us informed.
anatsuno: a women reads, skeptically (drawing by Kate Beaton) (Default)

[personal profile] anatsuno 2011-10-28 07:14 am (UTC)(link)
Thank you so much for being so on top of it! <3

Page 1 of 2

<< [1] [2] >>