The anthem of the Russian Federation has served the good service of LJ
Recently, in the Russian-speaking part of LiveJournal, the hymn of the Russian Federation sounded here and there, which, however, was not an appeal to “stand up” for a minute to the patriots of the country. The organizers of the venture - and it was the venture that took place - were expecting a reaction directly from the administrators of Livejournal.com, and this reaction was not slow to appear, although not in the desired completeness.
It began with the fact that one attentive user of the service noticed a bug that opened the way for some undesirable things. Other users of LiveJournal, initiative, decided to draw attention to the bug by undertaking the action, which was defined as a flash mob, which may not be the most appropriate term, because people had very specific goals, and, importantly, good.
Participants of the action with the filing of the blogger linker placed in the LJ-postings and comments invisible code - 1 × 1 pixel - flash-video with the anthem. Judging by the explanations of the linker, the possibility of such an action is the essence of a bug that allows hacking the logs of users who downloaded the “flash drive”.
')
For a more detailed comment "Habrahabr" turned to LJ-user zmey2 , who discovered the "hole" in the system a month ago.
The blogger explained that playing the anthem is “only part of the possible vulnerabilities associated with the fact that YouTube allows you to specify in the parameter the address of the resource for the stub picture, which can be not only a picture, but also a flash movie”.
“There are other potential gaps,” says zmey2. - In particular, the manipulation of the autoplay parameter and BASE_YT_URL. With the help of autoplay, you can insert a clip into the post, which will be loaded without the permission of the person watching it. It can be very unpleasant if the video is inserted into, say, a popular community — people will see and hear what they may not really want, and will also pay for traffic. ”
Another aspect of the vulnerability is in the possible substitution of the base URL, which is used for links in the video controls. “You click, say, on the play button, and get on such a page .
According to zmey2, there are few holes in LJ, but there are some, which is connected with the expansion of LJ functionality. Preventive measures are appropriate - the administration of the service should improve the error reporting system, be more attentive to bug reports. So far - the bug "with the anthem," for example, is eliminated only cosmetically.
It began with the fact that one attentive user of the service noticed a bug that opened the way for some undesirable things. Other users of LiveJournal, initiative, decided to draw attention to the bug by undertaking the action, which was defined as a flash mob, which may not be the most appropriate term, because people had very specific goals, and, importantly, good.
Participants of the action with the filing of the blogger linker placed in the LJ-postings and comments invisible code - 1 × 1 pixel - flash-video with the anthem. Judging by the explanations of the linker, the possibility of such an action is the essence of a bug that allows hacking the logs of users who downloaded the “flash drive”.
')
For a more detailed comment "Habrahabr" turned to LJ-user zmey2 , who discovered the "hole" in the system a month ago.
The blogger explained that playing the anthem is “only part of the possible vulnerabilities associated with the fact that YouTube allows you to specify in the parameter the address of the resource for the stub picture, which can be not only a picture, but also a flash movie”.
“There are other potential gaps,” says zmey2. - In particular, the manipulation of the autoplay parameter and BASE_YT_URL. With the help of autoplay, you can insert a clip into the post, which will be loaded without the permission of the person watching it. It can be very unpleasant if the video is inserted into, say, a popular community — people will see and hear what they may not really want, and will also pay for traffic. ”
Another aspect of the vulnerability is in the possible substitution of the base URL, which is used for links in the video controls. “You click, say, on the play button, and get on such a page .
According to zmey2, there are few holes in LJ, but there are some, which is connected with the expansion of LJ functionality. Preventive measures are appropriate - the administration of the service should improve the error reporting system, be more attentive to bug reports. So far - the bug "with the anthem," for example, is eliminated only cosmetically.
Source: https://habr.com/ru/post/4202/
All Articles