Livejournal Hack

I’ve been following the Livejournal hack closely because as someone who runs many services that allow user submitted content, any new developments in XSS are very important to stay on top of. So far the only official technical explanation I’ve seen is here on lj_dev. Since we don’t allow template editing or embedded JS or styles on I can’t think of any vectors for attack, but you never know with these things. More on moz-binding.

5 thoughts on “Livejournal Hack

  1. LJ sez: “Error: No such Entry”

    Hmm. Cookies, moz-binding, and a Firefox 1.0.x to 1.5.x change? I’ll have to let that simmer for a while (or catch an lj_dev post before it gets disappeared).

  2. Something I find brilliant about Blogger is that they use different domains for blog admin and blog presentation: and This keeps the login cookies safe from scripts running on All that’s left is to filter comments, which are sometimes viewed by the logged-in user on the domain.