PSA: LJ, purged accounts, and OpenID

Jul. 15th, 2010 10:26 am
pseudomonas: My rat is confused by technology (technology)
[personal profile] pseudomonas
Livejournal announces that they're going to have a round of purging and reselling account names of people who've deleted their journals, suspended journals, and "inactive" journals*.

ETA: I misread that - they're currently purging deleted accounts as before, what's new is that they'll also be purging suspended and "inactive" ones, and purging the deleted ones only 30 days after deletion, not 60.

As I understand it, if you have an LJ and have one of these accounts as your friend, you do not need to do anything, they will automatically be removed from your friendslist.

But on other sites, like, for instance, Dreamwidth, if you have granted access via OpenID to an account whose name is then resold, whoever buys it will gain access to your locked posts.

If you don't want that to happen, the only way to prevent it (short of the ideal of getting people not to delete their accounts even if they stop using them) is to remove access from the OpenIDs of such journals. Note that if you used the Dreamwidth importer, you might have granted OpenID access to a large number of people - you can manage the details here.

Please feel free to copy/link this around the place.

Note also if you buy an account name and the previous owner has gone round getting the OpenID of the account banned in lots of places, you're stuck with that too

*An inactive LJ journal is apparently one with only one post that's not been logged into for 24 months. If you have any placeholder accounts on LJ, you may want to check that this does not apply to them.

ETA: LJ is taking steps to disable OpenID on resold names as an interim solution (thanks [personal profile] andrewducker). This is a big improvement (unless you've bought one of these names, in which case it's a PITA), but I'll be interested to see how they deal with this long-term.
Tags:
Flat | Top-Level Comments Only

Date: 2010-07-15 10:00 am (UTC)
From: [identity profile] randomchris.livejournal.com
Um... I could be wrong here, but I think Dreamwidth's been around for rather less than 24 months. So this shouldn't be a problem for many people, unless they imported a huge list of Livejournals including defunct ones at some point.

Also, I don't think there's any record kept on Livejournal accounts of what it would have access to. The person buying the account would need to know whose journals it would have access to in order to log into them. It's hard to see how that could be predicted.

Date: 2010-07-15 10:05 am (UTC)
kaberett: Trans symbol with Swiss Army knife tools at other positions around the central circle. (Default)
From: [personal profile] kaberett
Eh? Person taking over the account name could just log into e.g. insanejournal or DW via OpenID then hit "view my friends page" or equivalent, and thus easily find out whose journals they had access to. By my understanding.

Date: 2010-07-15 10:07 am (UTC)
pseudomonas: "pseudomonas" in London Underground roundel (Default)
From: [personal profile] pseudomonas
I think the importer included journals that were deleted but not yet purged. It will certainly have included journals that were inactive by these rules.

The person buying the account will, the first time they log in to DW with OpenID, find out what they have access to, and it'd be surprising if they didn't have a poke around for the sake of curiosity.

I'm not saying this is likely to be used by attackers, but if I wanted to attack an account, it'd be pretty easy to go through their access list (if public) and find out which usernames to buy. As an example, if I deleted my LJ and you bought it, this is what you'd get access to.

Date: 2010-07-22 04:37 pm (UTC)
delight: (Default)
From: [personal profile] delight
This sort of happened to me! There are billions of comments all over DW with my old LJ name; someone else renamed to that name after those comments were imported and now that other person has control of my comments.

Makes me really uncomfortable.

Date: 2010-07-22 04:39 pm (UTC)
pseudomonas: "pseudomonas" in London Underground roundel (Default)
From: [personal profile] pseudomonas
I think this should be given as one of the warnings about deleting one's journal. It's not at all intuitive that it should work like that.

Date: 2010-07-27 12:41 am (UTC)
sophie: A cartoon-like representation of a girl standing on a hill, with brown hair, blue eyes, a flowery top, and blue skirt. ☀ (Default)
From: [personal profile] sophie
Did you notice the edit? LJ have disabled OpenID for users that renamed to a name that was in use previously for now as a temporary fix.

Date: 2010-07-22 05:25 pm (UTC)
pseudomonas: My rat is confused by technology (technology)
From: [personal profile] pseudomonas
thanks! updated post to mention this, but I think the issue is still worth mentioning until there's been a long-term solution hashed out. Also worth raising profile of issue as it really affects all OpenID providers/consumers, not just LJ/DW.
Edited Date: 2010-07-22 05:47 pm (UTC)
Flat | Top-Level Comments Only

Profile

pseudomonas: "pseudomonas" in London Underground roundel (Default)
pseudomonas

November 2024

S M T W T F S
     12
34567 89
10111213141516
17181920212223
24252627282930

Most Popular Tags

Page Summary

Active Entries

Expand Cut Tags

No cut tags
Page generated Jul. 6th, 2025 07:19 am
Powered by Dreamwidth Studios

Style Credit