LiveJournal security issue: access to locked entries

The latest code release onto LiveJournal has introduced a problem where people are randomly getting logged into the wrong journals. This exposes friends locked and filtered entries belonging to those journals to those random people. There’s no indication that this used to read the locked entries of a specific, targeted user, but there’s no analysis of the problem available, so we don’t know that it can’t be, either. Edit: It looks like this was a problem with caching. If that’s true, it’s unlikely that it could have been used to read posts from a specific user. More here from cahwyguy.

More information is available here.

This has been going on since at least yesterday morning, yet LJ still hasn’t responded officially to reports of the problem or warned users that their private data is at risk. Edit: LJ has posted about the problem, however, they don’t seem to have some details right. For instance, they’re claiming it was only a problem for a few minutes, when people were noticing it all day on Thursday.

This is the second time that LJ has dealt with a major security incident with staggering incompetence. It illustrates that they apparently don’t have a test server, i.e. they’re a bunch of coyboys. My vague plans to move this blog just got a lot less vague.

3 Comments on "LiveJournal security issue: access to locked entries"

  1. Yep, I encountered the weirdness yesterday & assumed it was my browser screwing up the CSS while I was viewing someone’s post.

    I regret renewing LJ for even 2 months when my Paid account was set to expire; my friends & fandom are here. Although I don’t want to fracture fandom by recommending WordPress vs. Dreamwidth in a “Let’s Migrate from LJ” campaign, that day is not too far away. I am not getting my money’s worth from this service.


    1. I can well believe they buggered their caching up, but I don’t believe the “3 minutes” part: people were reporting the problem repeatedly throughout Thursday.


Leave a Reply

Your email address will not be published.