Mechanical

Live Journal security problem?

Three entries in one day! I guess this is what being sick and stuck at home does for someone.

I develop Web-based applications for a living. As a result, I have a keen interest in Web security issues. When dealing with such issues, it's generally considered to be polite to notify the creators of a program and give them some time to resolve the security issue prior to telling the world. Some just announce the issue because they can't contain themselves (or want publicity for their security company). I prefer the former approach, so when I discovered a potential security problem with Live Journal, I figured I would tell them first and keep silent about it until I saw what was to be done. The only contact information that I found on the site appeared to be on their Ask a question page, linked from their Support page.

After I went and filled out the form, I discovered that the form is posted to a public forum, so anyone can read about this security problem. As a result, while I would have kept mum, since others can know about this, you may as well be informed of the security hole.

If you need more information, feel free to ask. I won't be posting exploits, but if you understand the security concern, then you probably can figure out how to exploit it. I am concerned, however, about cross-site scripting attacks. I haven't gone through their code well enough to know if someone can yet hijack your session with that, or if they need to resort to packet sniffing or physical access to your computer.