WARNING! Something's up with LJ's links…

Nov. 14th, 2010 07:43 pm
octothorpe: (neo)
It's come to my attention that some links put into comments are being redirected to a potentially malware-delivering website. This is what I've found…


  • It's not happening on every link, but it is happening consistently on some links.

  • Looking at the source for the page, the header javascript seems to be legit, although further investigation is necessary. (stepping through the code)

  • While clicking (with or without a key-modifier) on the link will trigger the redirect, dragging the link to a new window will NOT trigger the redirect (so it's not the destination URL that is the problem)

  • The redirect ('click-jack') works in Firefox (Mac) and in Safari (Mac) browsers that I've tested. It's probably safe to say that it is entirely platform (Mac, Win/Linux) and browser agnostic. YOU ARE VULNERABLE

  • Embedded images and video can be displayed and played normally, although it is not known if clicking to go to the original image/video will trigger the redirect

  • Modern versions of Safari will warn you, and prevent you from going to the click-jacked destination, assuming your "Fraudulent Sites" checkbox is checked in Safari's preferences

IT IS VERY IMPORTANT THAT YOU DO NOT EXPOSE YOURSELF TO THIS CLICK-JACKING.. For now, it seems the only safe way to go to an external URL through Livejournal is to drag the link into a new window.
  • Current Mood: Suspicious
Tags:
  • Add Memory
  • Share This Entry

WARNING! Something's up with LJ's links…

Nov. 14th, 2010 07:43 pm
octothorpe: (neo)
It's come to my attention that some links put into comments are being redirected to a potentially malware-delivering website. This is what I've found…


  • It's not happening on every link, but it is happening consistently on some links.

  • Looking at the source for the page, the header javascript seems to be legit, although further investigation is necessary. (stepping through the code)

  • While clicking (with or without a key-modifier) on the link will trigger the redirect, dragging the link to a new window will NOT trigger the redirect (so it's not the destination URL that is the problem)

  • The redirect ('click-jack') works in Firefox (Mac) and in Safari (Mac) browsers that I've tested. It's probably safe to say that it is entirely platform (Mac, Win/Linux) and browser agnostic. YOU ARE VULNERABLE

  • Embedded images and video can be displayed and played normally, although it is not known if clicking to go to the original image/video will trigger the redirect

  • Modern versions of Safari will warn you, and prevent you from going to the click-jacked destination, assuming your "Fraudulent Sites" checkbox is checked in Safari's preferences

IT IS VERY IMPORTANT THAT YOU DO NOT EXPOSE YOURSELF TO THIS CLICK-JACKING.. For now, it seems the only safe way to go to an external URL through Livejournal is to drag the link into a new window.
  • Current Mood: Suspicious
Tags:
  • Add Memory
  • Share This Entry

Profile

octothorpe: (Default)
octothorpe
Localtype

Expand Cut Tags

No cut tags