![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
You know, I've seen that Russian meme all over my friends page, so I thought that this might be an appropriate place to warn.
There are a number of memes and links appearing now all over LJ that post to your livejournal without your permission. Basically, when you're logged into LJ, you set up a cookie session, which may or may not expire when you close your browser or log off, depending on which option you choose.
Following one of these links will send you to a site that captures this cookie information, and then sends a post to LJ. Because this post comes attached with your cookie information, it fools LJ into thinking that it's you making a post, so voila, you end up with posts in your LJ. [ETA: It's now become clear that what it actually does is fool your browser into sending the information, but does so without your knowledge, and since it's your browser, it has your information in your cookies. It doesn't therefore appear to be copying information from your cookies, and closing your browser/logging out and logging in again if you have it set up not to log you off when the browser closes should stop it from doing anything even if it does - you get a new cookie each time you log in, so unless you follow the link again you should be safe.]
Varieties available at the moment cannot capture your password, but as it can do anything you can do logged on, in theory someone may create a variety in future that could change your e-mail address, and may be able to change your password via that. It could also add you to communities, add friends to your friends list etc. etc. and there is also some evidence emerging that these same sites may leave you vulnerable to Trojans. [ETA: From what lj_dev have said, it appears that the loophole on update.bml does not extend to changing other things, just updating your LJ, but again it may happen in future. It appears that the main weakness is in javascript and the way that cookies work rather than LJ specifically.]
More information on all of these topics can be found here:
http://www.livejournal.com/users/rosenho/274968.html
Be careful. Make sure that your virus checker is up to date. And don't be fooled by any varieties popping up that do start asking you to input your password info.
[ETA:![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-userinfo.gif)
elke_tanzer and twistedchick are usually good sources of information about these things too, so keep an eye on their journals as well.]
[ETA: Apparently LJ have now fixed the loophole being exploited by these memes. More information fromisabeau here. Thanks to oceana_ for the information.]
There are a number of memes and links appearing now all over LJ that post to your livejournal without your permission. Basically, when you're logged into LJ, you set up a cookie session, which may or may not expire when you close your browser or log off, depending on which option you choose.
Following one of these links will send you to a site that captures this cookie information, and then sends a post to LJ. Because this post comes attached with your cookie information, it fools LJ into thinking that it's you making a post, so voila, you end up with posts in your LJ. [ETA: It's now become clear that what it actually does is fool your browser into sending the information, but does so without your knowledge, and since it's your browser, it has your information in your cookies. It doesn't therefore appear to be copying information from your cookies, and closing your browser/logging out and logging in again if you have it set up not to log you off when the browser closes should stop it from doing anything even if it does - you get a new cookie each time you log in, so unless you follow the link again you should be safe.]
Varieties available at the moment cannot capture your password, but as it can do anything you can do logged on, in theory someone may create a variety in future that could change your e-mail address, and may be able to change your password via that. It could also add you to communities, add friends to your friends list etc. etc. and there is also some evidence emerging that these same sites may leave you vulnerable to Trojans. [ETA: From what lj_dev have said, it appears that the loophole on update.bml does not extend to changing other things, just updating your LJ, but again it may happen in future. It appears that the main weakness is in javascript and the way that cookies work rather than LJ specifically.]
More information on all of these topics can be found here:
http://www.livejournal.com/users/rosenho/274968.html
Be careful. Make sure that your virus checker is up to date. And don't be fooled by any varieties popping up that do start asking you to input your password info.
[ETA:
elke_tanzer and twistedchick are usually good sources of information about these things too, so keep an eye on their journals as well.][ETA: Apparently LJ have now fixed the loophole being exploited by these memes. More information from
isabeau here. Thanks to oceana_ for the information.]