.
Memes, lies and hysteria - Grin with cat attached
Previous Entry Next Entry
Memes, lies and hysteria Jun. 12th, 2004 08:29 pm
No, those memes DO NOT, and can not, steal your password. Nor can they change your password. However they can post just about any other LJ form IF you are logged in to LJ AND have javascript enabled. They can come from ANY site and do not need to be linked to from LJ to work. Any site you come across anywhere on the web could do this, and would not need to make any LJ-related content visible. They can also work against any other sites that use the same sort of cookie authenication.

It is not a browser bug, it is a flaw in the way LJ (and many other sites) use permanent cookies to handle non-expiring logins. The scheme used by such sites prevents anyone but the user from *seeing* anything personal to them, but not from submitting data *as* that user.

The only really suprising thing about this flaw is that it has taken this long for anyone to realise its potential or exploit it as an attack. The onus to fix it is on the affected sites, which need to take steps to confirm that only their own forms are accepted for submission where there is an impersonation risk. This can be acheived fairly easily at the design stage by inserting per-user secrets into forms. As such phase.org's code is now protected against such attacks (although, due to its more paranoid security mearures, it was never as vulnerable).

Naturally it's bit more of a bugger to retro-fit to an existing site.

A blanket block against cross-site form submission is not going to help; in fact various sites (eg First Direct's Internet Banking Plus) use it quite legitimately. The need is to fix the problem in the sites, not the functionality in the browser.

From: ciphergoth
Date: June 13th, 2004 - 12:03 am (Link)
ravenblack has found a neater fix than those per-user secrets - check out the revised version of my LJ post.
From: wechsler
Date: June 13th, 2004 - 07:56 am (Link)
That works, too - although I'm going to stick with the 'secret in database' version for the moment.

Phase.org implements this as functions anyway - user_secret and check_user_secret or some such - so once the function calls are in the forms and processing scripts I can change the backend functionality at will.