Groo

[j4]

I am stupid. Apparently I stepped into a security hole. Thanks to burkesworks for pointing it out.

Mind you, the clicky-meme wasn't in Russian when I saw it, so I don't quite understand why all the clever geeks are making bitchy comments about morons who click things they can't even read... it looked like just another crappy What Kind of Pavlovian Reaction to Web Buttons Are You quiz, and I was bored.

Yeah, you can all post followups where you point and laugh at me now. :-(

Comments

[saraphale.livejournal.com]

I will not point and laugh. It wasn't stupid of you; people get caught out by things, it happens to everyone, whether they like to admit it or not.

*hugs*

[ewx.livejournal.com]

The claim that the Russian/sausage one gathers passwords isn't born out by reading the source, at least to the one you had; it just submits an ordinary LJ update form and relies on your browser supplying the LJ cookie to LJ when it's submitted. The bulk of the code is merely time and date handling.

(That the browser passes the cookie when the submission wasn't requested by the user but by a bit of Javascript from some different site is arguably a violation of at least the spirit of Javascript's security model, but I'm no expert on Javascript, so don't take my word on this particular point. That said I do at least know the difference between Javascript and Java, apparently unlike a few of the people I've seen claiming to know what they were talking about on this particular subject.)

The only thing that looks even slightly like a variant that's purported to collect passwords does so by ... having a box for you to type your password into. (A joke, in other words.)

[oldbloke.livejournal.com]

Maybe it's not so much Javascript's fault: isn't it sort-of a parallel to the shatter attack where any open window can assume the privilege level of any other open window, thaks to the way Bill's boys built their execrable OS?
Mind you Janet doesn't use BillOS so...
I have some chores to do.

[new-brunette.livejournal.com]

There for the grace of God go all of us! Don't beat yourself up; I work with techies and some of them are amazingly gullible and occasionally fall for those email viruses which require you to type a password in to unzip the attachment - reminiscent of that "Irish Virus" email joke which was doing the rounds a couple of years ago. This one, and its derivatives, were pretty harmless anyway.

[bjh21.livejournal.com]

I'm not pointing and laughing. I'm gibbering softly about the fact that this problem (which doesn't really need JavaScript, incidentally -- that just makes it easier) affects pretty much any authenticated Web application, unless the author has thought of it, which I certainly hadn't.

[sesquipedality.livejournal.com]

Had to clean a worm off my PC a couple of days back. Since my firewall would prevent this spreading I can only assume I got infected by running an infected binary.

I also deleted my home directory by mistake once.

Don't know if I count as one of the techo-l33t, but anyone can make a mistake. I would've probably done the same.

Some inadequate geeks like to feel superior. What's so smart about having seen a warning before having seen the trap?

[oldbloke.livejournal.com]

Ah, yes, I once copied some files to c:\ by mistake, and in a moment of madness tried to tidy them up by doing del c: and actually saying Y to the question... Of course all the subdirs etc would be OK, but in the version of Windows I did it on there was some fairly vital stuff in the root. Seem to recall being saved by Norton Unerase.

[taimatsu]

I'd have done it if it hadn't been that I'm checking so rarely at the moment that by the time I saw those memes they were surrounded on the page by the discussion of the problwms with them. I'd have clicked without a thought otherwise. It's not unreasonable to assume something posted by a friend is not malicious, so I don't think there's anything for people to point and laugh about.