Home page logo

fulldisclosure logo Full Disclosure mailing list archives

[LJVN-0001] Livejournal.ru non-persistent XSS
From: <ljuser () hushmail com>
Date: Sun, 17 Jun 2007 20:36:22 +0100

Hash: SHA1

Livejournal.ru non-persistent XSS leaks livejournal.com user name
and may allow cookie-stealing attacks on livejournal.ru itself.
Attack works on users that have never visited livejournal.ru - only
requirement is that they are logged in to livejournal.com.

Livejournal.ru is a partner site (run by SUP Fabrik) of the widely-
used journal/blog site livejournal.com. There is cross-site
authentication so that users only have to log in to livejournal.com
to be authenticated at both sites.

A livejournal user has noticed and publicly described (at
http://community.livejournal.com/no_lj_ads/62908.html) an XSS
security hole in http://www.livejournal.ru/ratings/posts.

This is compounded by the fact that, on visiting this URL,
livejournal.ru uses a modified form of OpenID to automatically sign
the user in using their livejournal.com identity and return them to
the URL. (Unlike normal OpenID, this happens without any user
interaction.) The user does not need to have registered with
livejournal.ru for this to work.

Proof-of-concept URL (should display a javascript alert with your
livejournal user name if you are logged in to livejournal.com):


The obvious way to exploit this is for a website to use it to
obtain visitors' livejournal user names without their permission.
The site owners can then view the visitors' livejournal profiles
and publicly-viewable journal entries, revealing private and semi-
private information that the visitors didn't expect the website to
be able to link to their visit.

It shouldn't be possible to use this to compromise users'
livejournal.com accounts (due to the use of OpenID for
authentication), but it seems likely that a cookie-stealing attack
on livejournal.ru is possible.

This is also not a compromise of OpenID - livejournal.com have
deliberately whitelisted livejournal.ru and added a means for them
to obtain the correct OpenID identity URL (which would otherwise
have to be manually entered by the user).

Vendor notification
None by me; I can't speak Russian. It has been public knowledge for
several weeks, and it's time the security community knew about it.

Use custom styles on your journal to insert bogus OpenID
information in its head element, breaking the OpenID
authentication. Then delete all livejournal.ru cookies. Note that
this will prevent you from logging into livejournal.ru and other
OpenID-enabled sites using your livejournal as your identity.

Alternatively, don't visit untrustworthy sites whilst logged in to

Even better, don't log in to livejournal.

Be careful which external websites you set up transparent single-
sign-on for. Even if the SSO is done securely and the site owner is
trustworthy, security vulnerabilities in the partner site may have
undesirable privacy implications.

Greetz to bantown, revmischa and bradfitz.
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5


Click to become an artist and quit your boring job

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • [LJVN-0001] Livejournal.ru non-persistent XSS ljuser (Jun 17)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]