Kolbasa hack

There are a couple “click this link and have stuff automatically posted to your journal” things going around today, as well as a real misunderstanding of what’s happening.

The first one (that I know of) was the Russian “sausage” thing written by nightway (journal written in Russian, sorry). It posts a list of LJ usernames to your journal, with your own username appended to the end of the list, and a form that will post it to the journal of anyone who uses it.

The second one I saw is the “this is very interesting” one, which seems to use the code from the first one, with the addition of an image tag that hits what’s probably a logging script on the creator’s web site. What the purpose of this logging is I’m not sure, but it also can’t be anything too nefarious. A few similar ones written by LJ user CDK are available in his journal, as well as the source code.

THEY DO NOT STEAL PASSWORDS!

This just isn’t possible.1 All they do is hit the LJ ‘update journal’ page with your username and pre-filled form fields. The result is what you see, the pre-filled text is posted to your journal. Note that it doesn’t work if you’re not logged in. Because it’s written in JavaScript, it also doesn’t work if you disable JS (but there’s no reason it couldn’t be rewritten as a server-side script that would work either way). It is also not a virus, nor does it do anything to your journal that you can’t undo by simply deleting the entry it posts. Because it’s harmless, there’s also no danger in leaving the post in your journal.

1. In theory it is possible for your LJ (or any other) session to be hijacked by a web page, but you’d have to be using a browser with a security vulnerability that would allow it. I don’t think that even the current version of IE, which is still riddled with security holes, has this particular problem at the moment. If you have ActiveX enabled, however, all bets are off, as you’re pretty much vulnerable to just about anything anyone wants to throw at you. This is how a lot of spyware gets installed. IE users should probably consider disabling ActiveX.

Note that my use of the word hack in the title of this post is using the word to refer to a “clever trick”, not to h4xx0rz.

Comments

kar3ning says:

Well, that’s good to know. I’m still not touching it with a 10 foot pole, though.

Funny you should mention ActiveX: If I’m using IE, but can never get ActiveX to actually work right, am I better off without it? Is there a way to get around ActiveX so I can reinstall the stupid Flashplayer plugin?

kchrist says:

You are absolutely better off with ActiveX disabled, full stop.

I seem to recall hearing or reading once that IE implements plugins as ActiveX controls, so Flash may not work with it disabled. But never having been an IE user, I really can’t say for sure.

Why not just drop IE and use Mozilla or Firefox? You’ll get better security and a ton of features you don’t have now, including extensions to do just about whatever you want. </advocacy> (extensions site seems to be broken at the moment)