October 27, 2011

The latest code release onto LiveJournal has introduced a problem where people are randomly getting logged into the wrong journals. This exposes friends locked and filtered entries belonging to those journals to those random people. There’s no indication that this used to read the locked entries of a specific, targeted user, but there’s no analysis of the problem available, so we don’t know that it can’t be, either. Edit: It looks like this was a problem with caching. If that’s true, it’s unlikely that it could have been used to read posts from a specific user. More here from cahwyguy.

More information is available here.

This has been going on since at least yesterday morning, yet LJ still hasn’t responded officially to reports of the problem or warned users that their private data is at risk. Edit: LJ has posted about the problem, however, they don’t seem to have some details right. For instance, they’re claiming it was only a problem for a few minutes, when people were noticing it all day on Thursday.

This is the second time that LJ has dealt with a major security incident with staggering incompetence. It illustrates that they apparently don’t have a test server, i.e. they’re a bunch of coyboys. My vague plans to move this blog just got a lot less vague.