Note: I did not create this post. I followed a link on someone else's journal, which auto-posted this. Yes, it's a virus! If it gets out of hand I'll probably disable this link, but for now I'm actually curious to see how it will develop. If you're not curious, don't follow the link (if you haven't already).
According to other LJ rumblings, a similar, trick going around quietly puts someone on your friends (or friends-of?) list, and this points to potential for some serious abuse here. (I can imagine a trick-link that does something obvious, like this one, but does so to divert attention from something sneaky and nasty it also does. Unlocking all your friends-only posts, for example, or just deleting them.)
LJ apparently considers this a vulnerability and is working on a fix.
I tried logging out from LJ and clicking. I ended up at the LJ update page with an error message stating that I wasn't logged in. That's basically what I expected, but I'm glad there's some protection from abuse.
I'm wondering how far you can go with this. Can you delete posts? Add or remove people from your Friends list? The LJ API allows all sorts of useful things, but obviously it can be abused.
The first way to protect yourself is to not leave yourself logged in. There's the possibility that you could run across a random website which triggers malicious LJ code. Not being logged in will prevent harmful code from running.
Yeah, it's basically taking advantage of the convenience of having an "I'm logged in" cookie. Pretty much the same thing as setuid-bit hacking, I think. I'm pretty sure there's a standard way to fix it, but I don't remember the details...
You could delete it or edit it. At least you might want to delete the 1x1 tracker image, which is starting to cause some lag. I'm going to leave it in mine, though, just for fun.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
From:
no subject
From:
no subject
From:
no subject
From:
no subject
From:
no subject
From:
no subject
go ahead and leave it up though, i'm curious what penetration rate this will actually reach.
-j
From:
no subject
According to other LJ rumblings, a similar, trick going around quietly puts someone on your friends (or friends-of?) list, and this points to potential for some serious abuse here. (I can imagine a trick-link that does something obvious, like this one, but does so to divert attention from something sneaky and nasty it also does. Unlocking all your friends-only posts, for example, or just deleting them.)
LJ apparently considers this a vulnerability and is working on a fix.
From:
no subject
I'm wondering how far you can go with this. Can you delete posts? Add or remove people from your Friends list? The LJ API allows all sorts of useful things, but obviously it can be abused.
The first way to protect yourself is to not leave yourself logged in. There's the possibility that you could run across a random website which triggers malicious LJ code. Not being logged in will prevent harmful code from running.
From:
no subject
From:
no subject
From:
no subject
From:
no subject