Grin with cat attached (wechsler) wrote,
Grin with cat attached
wechsler

Memes, lies and hysteria

No, those memes DO NOT, and can not, steal your password. Nor can they change your password. However they can post just about any other LJ form IF you are logged in to LJ AND have javascript enabled. They can come from ANY site and do not need to be linked to from LJ to work. Any site you come across anywhere on the web could do this, and would not need to make any LJ-related content visible. They can also work against any other sites that use the same sort of cookie authenication.

It is not a browser bug, it is a flaw in the way LJ (and many other sites) use permanent cookies to handle non-expiring logins. The scheme used by such sites prevents anyone but the user from *seeing* anything personal to them, but not from submitting data *as* that user.

The only really suprising thing about this flaw is that it has taken this long for anyone to realise its potential or exploit it as an attack. The onus to fix it is on the affected sites, which need to take steps to confirm that only their own forms are accepted for submission where there is an impersonation risk. This can be acheived fairly easily at the design stage by inserting per-user secrets into forms. As such phase.org's code is now protected against such attacks (although, due to its more paranoid security mearures, it was never as vulnerable).

Naturally it's bit more of a bugger to retro-fit to an existing site.

A blanket block against cross-site form submission is not going to help; in fact various sites (eg First Direct's Internet Banking Plus) use it quite legitimately. The need is to fix the problem in the sites, not the functionality in the browser.
Tags: phasecode, tech
Subscribe
  • Post a new comment

    Error

    Comments allowed for friends only

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 2 comments