Flash-Based Social Networking Worm Rampages on LiveJournal

Users of the LiveJournal blogging platform were the target of a malicious attack on Tuesday, when a social networking worm that spread by simply viewing an infected post was released on the website. The malware stole email addresses and made private blog entries accessible to everyone.

The LiveJournal staff has posted a detailed announcement describing the attack, which is said to have only lasted for less than two hours. As a result, the ability to embed video files into blog entries has been suspended, but has since been restored for a few trusted services such as YouTube.

The social networking worm propagated through an embedded flash video that used the allowScriptAccess parameter to trigger a cross-site scripting condition. According to Adobe, "When AllowScriptAccess is 'always,' the SWF file can communicate with the HTML page in which it is embedded even when the SWF file is from a different domain than the HTML page."

Upon viewing an already infected posting, the exploit proceeded to compromising the account of the visitor by adding the malicious code to their latest entry, resetting its icon and metadata, as well as setting its security to public so that it could be viewed by everyone. Additionally, the email address registered with the account was recorded and possibly uploaded to a third-party server.

"Through reports and our investigation this evening, we've seen fewer than 100 affected entries; however, due to the nature of friends pages it is likely more widespread than this," the LiveJournal staff note. All users are advised to check if their latest blog entries contain four blocks of embedded Flash at the end. According to an LJ user who analyzed the attack, the code is of the form: