Thu, 24 Jul 2008

6:53 PM - Session hijacking

 I was recently told that in some cases it's possible to hijack a session from any webapp, and that just journal had a problem with this.  I quickly went to work on this problem.  It has caused problems for big sites like MySpace and Facebook.  

What does session hijacking mean to me?

Session hijacking means stealing your login.  While you're logged into the account, someone could read your private blog entries and post entries to your account.  Anything you can do, they can do to.  They don't know your password, and can only do this while you're logged in.

What users can do to protect themselves:

  1. Always use the secure login feature.  (SSL)  This will prevent the first type of attack on your account.  
  2. Always log out of just journal when you're done.  Don't just leave the site.

Steps we're taking to minimize this attack

  1. A review of just journal's code is pending.  
  2. We're probably going to limit special characters allowed in titles of blog entries, journal titles, music, tags, etc further.  We may limit what can be pasted into blog entries as well.  The only other attack possible is stealing a session cookie which requires a cross site scripting (XSS) attack.  That means someone put javascript code on the site and used that to steal your session.

location: Home

tags: session hijacking xss justjournal software security

()