Flash-based cross-scripting LJ security hole

[solarbird]

As described in this post in News, there's a Flash-based cross-site scripting bug that edits the most recent post of any logged in user who views content containing the script. This journal's previous entry was affected - code embedding infected video was added to that post after I viewed an apparently-infected post on my friendslist. As a result, LJ staff have partially disabled embedding while they work on a better solution. So be aware of this, and check your most recent posts as described in this post in News. Youtube embeds aren't affected, and have already been re-whitelisted.

Comments

[leftbase.livejournal.com]

Yeah, it happened to me and two other users that I know of also.

[technoshaman.livejournal.com]

*nods* checked my pages, and my last embed was too early to have been affected (and wasn't)... #include grumbles_about_proprietary_stuff.h

[maellenkleth]

I seem to have dodged this, what with having Flash blocked on all of our various machines. Still, it's a reminder that security is an ongoing process.

[flashfire.livejournal.com]

I saw that box thing on one of yours yesterday.

[blues-kun.livejournal.com]

So that's what that goofy box shit was about.

Good thing I have embedded media blocked by default and run Flashblock on top of that, lol~