PSA

[pauraque_bk]

There are a couple of destructive memes going around.

If you see a form written in Russian with a bunch of usernames, don't put in yours.

If you see a post with nothing but a link that says "This is very interesting", don't click it.

These memes exploit a hole in LJ security and automatically post to your journal. There's some discussion on closing the hole in lj_dev here.

If one of these memes already got you, clear your cookies and change your password.

EDIT: Having read a little more about this problem, my advice is not to put in your username anywhere except LJ's own pages until this issue is resolved.

Comments

[fernwithy.livejournal.com]

Yeah, I got one. Thanks for the suggestion.

Re: Thanks!

[threeoranges.livejournal.com]

Does this apply if you only entered your lj-username and didn't actually enter a password/do anything to update your lj?

*worried* :-)

Re: Thanks!

[pauraque]

When you put in your username, the destructive memes exploit your login cookies and use javascript to post to your journal without you doing anything, or putting in your password at all.

Most memes that ask for your username are benign and don't exploit the security hole; if you didn't get a mysterious new post on your journal, you did one that was harmless, or has had its code altered to prevent it from posting. Of course, it never hurts to change your password, just in case!

Re: Thanks!

[threeoranges.livejournal.com]

Great, I didn't suffer the rogue posting but am off to change my password now. Much appreciated!

[chelsea-energy.livejournal.com]

I *knew* there was something fishy about those Russian memes, and thus I did not enter my name. Boy am I glad now. Did you see they have them in English now? Something about how long can you make your sausage...

[pauraque]

That's what the Russian one says too; the English one is a translation. (I thought my limited Russian had failed me when I first read it... "whose sausage is the longest?" the hell?)

Basically, right now it looks like everyone should be careful about clicking on unknown forms and links until they fix the hole.

[chelsea-energy.livejournal.com]

I can imagine. I would've been wondering about my language skills too... lol

[muridae-x.livejournal.com]

I suspect that this particular little bug is going to herald a downturn in the popularity of that sort of "fill in your LJ name and click" meme, for a while at least. At least the LJ coders are on the case already, discussing ways to foil it without breaking all the LJ clients.

Me, I just saw the Russian sausage meme and went "huh?" It didn't attract me enough to want to do it; the dangerous thing will be if someone comes up with an attractive/compulsive meme with this kind of malignant code in it.

[pauraque]

Yes, exactly, that's why I changed my advice to "Don't put your name in anywhere or click anything you don't recognize". We've been lucky here on LJ so far, but we need to remember that we're working with open-source code. There are bound to be breaches.

And frankly, I'm not going to be too sad if this results in a decrease of pointless random-result memes. A lot of people habitually don't cut them, and the table code can muck up my friends page layout, which is also tables-based. It's my policy to bite my tongue about this; it's their LJ, I chose to flist it, I can defriend if I want. But I would certainly be pleased to see less of it.

[muridae-x.livejournal.com]

Being a sad, sad geek who knows HTML I quite often correct the code of the handful of memes that I do cut and paste, so I know what you mean about the iffyness of some of the code. Also, I guess I'm just naturally suspicious.

Incidentally, can I take this opportunity to say how much I adore your current default icon? Darn, Peter's just adorable there. Squeak squeak.

[pauraque]

Only sad geeks know HTML? Uh-oh, I'm in trouble. :)

And thanks -- he is adorable, isn't he?

[muridae-x.livejournal.com]

Nah. What I mean is that I'm both sad and a geek. :-)

[t-winkle725.livejournal.com]

Eeep. Sorry, I had no idea I should be lj-cutting my quiz-results - my knowledge of HTML would fit on the business end of a very, very small teaspoon...:)

Thanks for the virus alert - am thinking up a new password already...

[pauraque]

Well, "should" is a tricky term on LJ, where the etiquette rules aren't very well established. That's why I make it a point not to tell people what/how they should and shouldn't post on their LJ.

That said, there are a few reasons not to post quiz results without a cut. One is that some fans have A LOT of people on their flists, and seeing the same quiz result over and over is simply irritating.

Another is that they may make some peoples' flist layouts not display properly, either because they're too wide for the column, or because they use poorly-coded HTML tables.

Something else to think about is that when an image is posted without a cut, it ends up wasting the bandwidth of the server it's on, because it's refreshed so often by people checking their flists. It can also waste the time of the people doing the checking -- their connection may be slow, and they may not want to re-load that image every time they check their flist.

Again, I'm not saying people *should* do this or that, just sharing information.

[spug.livejournal.com]

The memes are not able to get your password, and are not dangerous. See the answers to the following support requests as a reference: http://www.livejournal.com/support/see_request.bml?id=294736

They're annoying, but let's not resort to hysteria. Nobody's getting anyone's passwords :)

[pauraque]

What I posted was not "hysterical". Changing your password after something like that is just good sense.

[spug.livejournal.com]

No, no, I didn't mean that your post was hysterical. We just don't want to create hysteria all over LJ over something that frankly is pretty harmless.

[pauraque]

If you don't think I'm contributing to the hysteria, then don't imply that I am. I don't appreciate it.

[spug.livejournal.com]

Of course you don't. I apologize.

[pauraque]

Accepted. No harm done.

[t-winkle725.livejournal.com]

Absolutely!

Its the sort of thing someone like myself can be so blissfully unaware of - and if it's a question of f*%&king up someone else's f-list - of course its a 'should', no doubt about it -

What we really need here, is some sort of lj etiquette community - where people can post concerns like this to a public forum, without offending anyone - just, you know, 'No offence, but...This is stuff you NEED TO KNOW.....'

*g*

[pauraque]

It would be a good idea if it *could* be done without offending anyone, but that's just it-- someone always takes it as a personal affront. Not everyone understands the dif between "I'm telling you why this might put people off" and "I'm telling you what you ought to do because I know best".

Also, I'm sure the sense of what's acceptable varies in the different regions of LJ. I think it's mainly fandom where we get people with HUGE flists that they actually read, and so it's in fandom that whether people LJ-cut things becomes a community issue.