lj security-related PSA

[eruthros]

I know a lot of y'all don't use lj, but in case you do, there seems to be a bug that caused (is causing?) a security/privacy breach: multiple people have reported that when they try to edit their own entries/profile/inbox, they are taken to another random user's edit entries/profile/inbox page, and can see all of that user's flocked and private entries. Basically, the system seems to think that they're logged in as another user. Here are some of the early bug reports from last night:

cocanuts reports the logged-in-as-another-user bug
itsaserket reports the logged-in-as-another-user bug
rachelmanija reports the same bug (and also reports that it stopped happening to her) (ETA: she expanded on what the bug looked like in comments here)
nix_this reports the same bug (with other details in nix_this's lj)
kazzisato reports the same bug

... but there are a ton of comments on the lj releases post now; those are just the first reports of the problem that I saw. LJ staff have not yet commented to my knowledge, so all that there is so far is a series of bug reports - nobody seems to know the extent or scale of the problem, whether it was a temporary glitch that has already been fixed or whether it's ongoing, or basically any other details. I haven't seen any bug reports from users who noticed unauthorized access of their journals - just from people who noticed being logged in as someone else.

There's also an overview post about this lj bug at unfunnybusiness. There don't seem to be any suggestions for fixes yet, but the lj release entry for their recent code release has 800+ comments and is growing, and I haven't looked at everything. I haven't seen any reports on why it's happening, but some folks are suggesting that it might be related to an (unannounced) change in handling cookies that has also affected plugins like LJ Login and dreamwidth's comment importing.

Unfortunately, while you can tell pretty easily if you have access to the wrong journal (click edit entries, see what happens, if something goes wrong log out and log back in), so far there's no way to tell if anyone else has access to yours. Will ETA if I learn more.

ETA1: I haven't seen any bug reports from people who experienced the bug after mid-morning today UTC (but I could have just missed them) - if you know of any, please let me know and I'll ETA again. Now I've seen some more recent reports, so it hasn't stopped happening. I have also seen people reporting that it's no longer happening to them, though - rachelmanija, linked above, and wendelah1 in comments here.

ETA2: fallacy_angel took a screencap of the journal they were temporarily logged into; see also their comment at lj releases.

ETA3: Strike ETA1; I think dapperdinosaur is reporting the bug shortly after it happened to them, which makes a bug report from about 4:00 am UTC on the 27th.

ETA4: lorax experienced the bug at about 3:15 pm UTC on the 26th, and wrote up an detailed report of what the bug looked like plus some notes about lj's response.

ETA5: In the comments here, silveraspen describes the response to their pm to a site staffer (at 2:46 pm UTC on the 27th) which suggested that info was going to go up at lj_maintenance soonish.

ETA6: There's a new lj maintenance post that describes the problem: they're saying that it didn't allow people to edit other users' pages, just view them, so it wasn't a security risk. (This is one of the times when I facepalm about lj's communication - site security vs security of people's info would maybe have been a good thing to mention there.) They also describe it as a bug that lasted for only three minutes - while it's true that most of the bug reports I saw were clustered around the same time period, I've also seen a couple more recent reports, so that seems ... unlikely.

ETA7: Make that a really recent one - here's snailbones's report of the problem happening after that lj maintenance post was made.

ETA8: This is the first instance I've seen of someone saying that they actually did something with the account they were logged into (I think - it's somewhat confusingly worded, so definitely grain of salt here), plus some discussion of how long the problem was happening: misstiajournal's comment at the lj maintenance post.

ETA9: moropus also reports that they accidentally commented as another user when they experienced the bug (note that the comment also has anti-Russian sentiment)

ETA10: siljamus talks about things to do to minimize the risk of this happening to your journal, which mostly involve logging out of all of your livejournal login sessions, and then not logging back in at all (which includes not crossposting from dw).

ETA11: I haven't seen a live report of the bug since snailbones's, linked above, at 9:38 pm UTC on the 27th. Anyone else seen anything? Yup, other people have seen something - see ETA14.

ETA12: LJ mentioned the problem in passing in their most recent lj news update; many of the comments are angry about the in-passing remark, wording, challenge the details, etc.

ETA13: rachelmanija describes what the bug looked like (what she could see, how long it lasted).

ETA14: strike ETA11; majoline reports seeing the bug (or a different bug?) at about 3:30 pm UTC on 10/29. This bug report is different, though - they were taken to the edit entries page of a journal entry they clicked on, not to a random journal. No word on whether they could do anything on that page. majoline commented to say that the buttons were grayed out and couldn't be clicked on.

ETA15: It turns out that anyone can see anyone else's edit-entry page for a public post by putting in their username and the number of the entry; it only works for public posts, and it grays out the boxes and nothing can be clicked on. So a misdirected link could send someone there, and so could I if I manually entered it, and etc. darkspirited1 and xenotaku have been figuring out the parameters of how this works in a comment thread. The existence of this weird UI is irritating, because it means that the cache error(?) bug and this thing might be described in the same way by a user. The important differences seem to be that in the cache error, someone appeared to be logged in as someone else, so the edit entry page would appear normally but with someone else's data (buttons appeared pushable, someone else's username and icon, etc), whereas in this edit entry page looks weird and unusuable (buttons and text greyed out, at the top it looks like you're trying to edit a post in a community: [yourusername] in community [otherjournalname]).

ETA16 I just saw another new bug report on lj maintenance of something weird that looks a bit like the original bug circa 4:53 pm UTC 10/29. Their comment with screencaps got marked suspicious, but since the comment was emailed to me I saw the screencap, and they said I could link it here: screencap of the post entries page as snowsoftsong. It looks like the post entries page as if someone else was viewing it - there was no "in community..." or anything and the entry page wasn't greyed out - except that the username was snowsoftsong, and the original poster of that post was alwaystheheart in a different comm. So: WEIRD.

(Almost) everything I've linked to in this post is a single user's bug report or description of their issues - I have no way of checking the veracity of anyone's comments.

Comments

[xenotaku]

No new "news", but LJ's trying to sweep it under the rug with the latest post on news. The only reference to the security issue is a brief mention that there was a "service issue" that "was quickly resolved". People are bringing it up in comments.

[eruthros]

Oh dear, that is so LJ - they just are not good at communication.

[xenotaku]

The ironic part, of course, being that they suck at communication, when they're in the communication industry.

[And I wish I had a facepalm icon]

[rachelmanija]

Details on my experience: Every time I tried to edit my own entries, I got bounced to the "edit multiple entries" page of a different user. I tried about three times, and got a different user each time. I don't recall who any of them were, other than that none of them were people I knew or who had me friended. One was in Russian, the others were in English.

In every case, I could read the full text of locked, filtered, and private entries. (Don't worry, I don't know anyone's secrets - the entries were hard to read due to html mark-ups, and once I realized what was going on, I quickly exited. So I only read a couple sentences worth of private material.)

I don't know if I could manipulate their accounts, as I didn't try.

After 5-10 minutes, it stopped happening, and hasn't happened since.

[eruthros]

Thanks for expanding on your experience! I linked it above, so other people can check it out. It seems like it was a temporary thing for everyone who experienced it - it lasted for several minutes for the each person who saw it, but people saw it at all different times.

[boundbooks]

Thought I'd let you know of a Live bug report from:

Oct. 29th, 2011 11:35 am

"they're still messing up - I right clicked on a story rec link to open it into a new tab, and instead it took me to that particular journal entry's edit page. >:(

Reported to lj, but still... thought everyone would appreciate the head's up."

http://majoline.dreamwidth.org/77436.html

Which is actually kind of a worse form of the bug, because it's *that* journal, which means that you might be able to control which journal you get access to, rather than just have it be random.

[eruthros]

Ugh, wow. But thanks for the link!

[boundbooks]

Just as an additional update, might be helpful for people, in my new post (http://boundbooks.dreamwidth.org/101112.html) I said this:

How to Delete All of Your LJ Entries

I am not saying that everyone should do this. One's LJ is one's own personal space and decisions. I have seen people asking for this information, which is why I'm passing it along. This is a Windows-only program.

LJ-Sec is a LiveJournal entry management tool that allows one to do mass actions. It was broken by the last patch, but someone has put up a temporary fix.

[eruthros]

Ah, good to see that someone fixed LJ-Sec!

I also recently saw some speculation that this is actually two bugs - basically, they propose that the first issue was the Varnish caching error, which a fair number of people encountered, and the commenting/posting/editing as someone else thing was a second, less common bug, that's maybe been ongoing for a while, but which the big bug made everyone start commenting about.

Which is interesting, because I saw someone (somewhere!) say they'd commented as someone else accidentally a year ago and had reported it to lj support then; they thought it was an ongoing issue. Sadly I don't remember where I saw that comment!

[boundbooks]

Here's the one about a year ago: http://www.journalfen.net/community/unfunnybusiness/324593.html?thread=21146865#t21146865

I'm not sure if that's worse or better, re: speculation that it's two bugs. :(

I mean, it's better if it was two bugs, because that means that the common bug won't allow you to edit. On the other hand, it's worse because the editing/commenting bug has been reported for a year, and LJ has never 1) acknowledged it or 2) fixed it.

Oh, and pinesandmaples offered a 'I can't believe I didn't think of that!' work-around for Mac users for LJ-Sec:

"If you are part of a Mac-only household, make fast friends with a PC owner. I live with two of them, and [personal profile] rooibos graciously let me use her laptop for this endeavor."

http://pinesandmaples.dreamwidth.org/878931.html

[majoline]

I just noticed that you mentioned not noticing if I could do anything and went back to check my screenshot - that no, I could not edit or change anything on the page.

[darkspirited1]

Hey. I've been following your blog and the updates. I'm really grateful to them! They've helped keep me in the loop. I'm still a little confused as to whether LJ has officially stopped this. I can say that I did do a little digging and try to find out with some personal research.

It's a long comment, so basically, tl;dr: Turns out you can access a public entry edit page with the simple edit entry url for each entry, but not private, friends only, profiles, or inboxes NOW as far as I can tell. What things were like before is another story...



The longer story:

I have a few old journals I no longer use on LJ that were perfect for such a cause. We shall call them APost and AView. I use AView to try to look into APost entries. APost is a blank journal I created a while back but never used. I made 3 entries, one public, one private, and one friends only.

I tried to access each one with the standard edit entry URL and gained access to ONLY the public entry in APost.

However, it does NOT allow me to change ANYTHING on APost. Everything is sort of grayed out. It will NOT allow me to even view the private and friends only entries. Thank goodness!

I also tried accessing the edit profile URL for my test account and it came up with an error saying I couldn't be verified as the user. Trying to access a message from my inbox came up with that error too.

Both journals are on different servers.

I tell you this information in hopes that it might somehow bring some insight to anyone who still worries about this security breach.

However, I should also mention that looking at the login information under manage/logins.bml on the APost does NOT show that I "logged in". In fact, when I was viewing APost through AView, it showed me as if I was trying to edit a post in a community oddly enough. Specifically it says:

Poster: [userhead image] in community [userhead] [APost]

It also shows AView's userpic but does not list AView as the poster. It's just a userpic.




It will be nice to see if LJ makes any further comments regarding this issue.

Sorry for making this comment so long. I actually have screenshots of everything too if you want to see them/things are too difficult to understand here.

[xenotaku]

Just tried it out myself, and got the same results (for editing journal entries, at least). For the f-locked and private entries, it told me "could not find journal entry". For the public one, it gave me a grayed-out edit box and buttons, the weird "Poster:" line, and it shows my logged-in icon and icon list.

[eruthros]

How weird! Someone asked on lj support, and support clearly knows about it. I wonder if it's been a long-standing bug!

[eruthros]

To answer my own question, I guess it has, because it works on DW too - just the same way, with the greyed out box and not working for flocked/private entries.

[xenotaku]

Huh, so maybe this isn't related to the other bug? Since you're not appearing as logged in, like the other bug's reports are saying.

At least I know that people can't purposefully get into my locked entries, or edit my journal. Accidentally, on the other hand...

BTW, just tried it with a public community post, and it's giving me the "Could not find selected journal entry", so it doesn't even work to view the edit page with a community post.

[darkspirited1]

DW does it too? That's so strange! Bugs are intriguing!

[eruthros]

Weeeeird! I checked it out and it looks the same to me. And someone else opened a support request about it, and was told "Yes, it is possible to view entries that you already have access to in the "edit entry" format. While features such as the one you mentioned may appear to work, you will not be allowed to save any changes to the entry. Only the owner of the journal in question, or the user who posted the community entry will be able to do that." So I guess it's a known bug?

[darkspirited1]

Ah yes. I hadn't seen the support request. I'm just glad you can't look into friends only/private entries like that.

Still, I wish LJ would announce whether the random happenings have stopped. This makes me think that they may have, at least in the case of private/friends only stuff. One can only hope anyway...

[eruthros]

Yeah, I think that's probably a separate thing that's distinct from the cache problem that's showing people the edit-posts page as if they were someone else. But I did just see another new bug report of something that looks like the original bug mentioned on the lj maintenance post. (Their comment with screencaps got marked suspicious, but since it was emailed to me I saw the screencaps, and it was indeed the edit entries page as if someone else was viewing it - the username was someone else's, there was no "in community..." or anything, and the entry page wasn't greyed out.)

[briar_pipe]

This bug is very old on both sites.

I switch constantly between accounts, some of which are shared. I often end up viewing an "edit entry" page for an entry I didn't post with that account. I can't actually edit or delete it, but I can view it. It's very similar to the way a mod can view entries on a comm in edit mode but can't actually edit them, except instead of the textbox being grayed out and the meta options available, the textbox is regular and the post and delete options are not available.

Here via lorax.

[advancing]

I submitted a support request to LiveJournal under my RP account (notalwystrthful) and since it was marked private due to the concerns I addressed, this is what I put in my support request and if they ignore my concerns, I do intend to go to higher ups about the issue itself.

[advancing]

And, if by some reason plurk decides to delete that paste, I'll copy and paste it in this comment.

"Since it seems like you don't read the comments in news, lj_releases, lj_maintenance or any other communities of the sort, I'm just wondering if you value your customers at all. I've been a paying customer with both paid accounts and icon packages for my roleplay accounts, in which I don't see this continuing any further if things won't change or if you'll continue to ignore the people who take a few minutes out of their day to address the problems that you have caused. It's Customer Service 101 to know that if there is a problem, you should correct it for the customer's happiness so that they /keep/ coming back to your store and will spread the word, which will help drive in revenue and other payments that will help keep LiveJournal afloat.

First off, in my opinion, release 86 was not necessary in implementing. Your "move" to prevent spambots has been proven ineffective. For example, I'll provide you with this comment (http://news.livejournal.com/139959.html?thread=97068727#t97068727) as seen in your most recent news post. Secondly, I, and many other users who rely on add ons like LJLogin, a service that slarti provides for free so that roleplayers keep on coming back to your site for services and friends that they have made, has been rendered useless due to this supposed fix. Since it seems like you have the inability to listen to people's legitimate concerns, I'll say it here so that it can sink in to your minds and make you think differently - there was nothing wrong with how LiveJournal worked before this release. There was nothing wrong with how LiveJournal worked before this release.

Thirdly, when are you going to address the concerns about privacy and people going into others accounts when they shouldn't be? All you have done is address userpic issues, something that yes, it should be fixed, but other than that, I'd think that privacy is something you should be more concerned over than a bunch of pixels on a screen. You have made your userbase unsure and nervous about continuing to use your services any longer. So, again, I ask you - when are you going to address privacy concerns or are you going to continue to pretend that things are okay instead, like you usually do?

Lastly, I do not see my future continuing here at LiveJournal if these issues and problems continue as well as if you keep on ignoring your userbase. If I'm not successful in reaching you through your support board, then I will personally send an email with these exact concerns to someone who will listen and will apply more pressure to you to change the procedures that you have been doing so far. These concerns are not just exclusively mine - they are what people have been putting up in your various communities and haven't gotten a reply since.

It's time for you to own up to your mistakes and for you to actually give the kind of customer service that people are /expecting/ you to have instead of shying away from the problems people have expressed. Will you listen or will you continue to go with what you have been doing and cause even further distrust to grow with your userbase?

Sincerely,
Another Disgruntled User"

[xenotaku]

Icon is for drive-by icon love, this is for the letter:

[advancing]

I think I know you! :D But, thank you all the same!