I tried logging out from LJ and clicking. I ended up at the LJ update page with an error message stating that I wasn't logged in. That's basically what I expected, but I'm glad there's some protection from abuse.
I'm wondering how far you can go with this. Can you delete posts? Add or remove people from your Friends list? The LJ API allows all sorts of useful things, but obviously it can be abused.
The first way to protect yourself is to not leave yourself logged in. There's the possibility that you could run across a random website which triggers malicious LJ code. Not being logged in will prevent harmful code from running.
Yeah, it's basically taking advantage of the convenience of having an "I'm logged in" cookie. Pretty much the same thing as setuid-bit hacking, I think. I'm pretty sure there's a standard way to fix it, but I don't remember the details...
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
From:
no subject
I'm wondering how far you can go with this. Can you delete posts? Add or remove people from your Friends list? The LJ API allows all sorts of useful things, but obviously it can be abused.
The first way to protect yourself is to not leave yourself logged in. There's the possibility that you could run across a random website which triggers malicious LJ code. Not being logged in will prevent harmful code from running.
From:
no subject