This is the official LJ word on that Varnish + privacy thing.

[azurelunatic]

http://lj-maintenance.livejournal.com/131843.html

Site Maintenance
Our apologies for the delay in reporting these details and any inconvenience this has caused. We wanted to make sure we fully analyzed the extent of the situation before publishing details.

The following occurred - while updating the configuration of our internal caching system, Varnish, for a few minutes the system began to issue cached pages from the users who most recently visited the same page, as the system considered this the most relevant source of data. Thus, for 3 minutes, some users may have seen pages which appeared as though they were logged in as another random account, but it was actually just a snapshot of the page of the last visitor. It had no effect on security, as it was not possible to perform any actions on behalf of this other account. When attempting to load another page during these few minutes, another cached page was served in most cases.

This issue primarily affected people in the United States; the Russian-speaking audience was almost completely unaffected because the changes occurred very late at night in Russia. However, we are grateful to those of you who noticed this and quickly brought our attention to the issue, which gave us the opportunity to quickly understand the cause and resolve it.

The changes which were made are intended to improve site security, and reduce malicious activity on the site. It will make it more difficult to steal cookies from public locations, or spoof them for malicious attacks. We're also working on a few other things:

* Better communication with our 3rd party developers

* More thorough testing before rolling out changes

* Finally, better communication with you about our development process


Again, please accept our apologies for any inconvenience.

Edited to add the text of the entry.

Comments

[xenacryst]

I mostly just went over there to look at the train wreck, but I just couldn't help noticing that - I guess - the very bug they're acknowledging has corrupted that very entry. The entry page itself says there are some 214 comments on 5 pages. Going to page 2 says there are only 2 pages of comments. Going back and going to page 3 says there are only 3 pages. Cached pages, huh? Your cache system is exceedingly broke, speaking as a technical person myself. At this point I'd be shutting off the site and getting things fixed... oh wait, that would cut off the display of ads, and hence tank their bottom line. Woops.

[eruthros]

I had that exact same problem happen when I was logged out! (When I logged in with openID it stopped happening.)

[azurelunatic]

I have no idea what's going on behind the scenes and I feel very sorry for everyone who works or volunteers there.

After the (unrelated) bad night I had, I have no patience left for any of this noise. I turned off default cross-posting.

[thette]

Does this mean you're posting on DW only?

[azurelunatic]

For most stuff. I think I will still crosspost for reasonably big stuff, but not reliably anymore.

[azurelunatic]

It doesn't sound like the same bug, because that was caching state as it was for other users complete with their personal information! However ... yes. Cache broke, sounds like. Yep.

This afternoon I did not have the patience left anywhere to deal with that. Now that I have had some sleep, I find that I have the patience, but I am unwilling to budget it to deal with LJ's technical shenanigans anymore.

[synecdochic]

FYI, you can expire the cache and pull a new version of the page by adding some characters (a / or a @ or whatever) to the end of the URL after a ?page=foo or #comments argument; the system is smart enough to redirect it to the right URL, but it'll think it's a new request and pull the fresh data.

[azurelunatic]

http://lj-maintenance.livejournal.com/131843.html?thread=13176067#t13176067

[azurelunatic]

I have to salute the sense of humor of whoever wrote this bit of the news post: "While 'Release 86' sounds like a great name for a horror film from the early 80s, it's actually our recent system update." Thank you, whoever you are. ♥

[cleverthylacine]

They're wrong; several people have reported that they accidentally left comments as other users.

[bookofjude]

My understanding of the strung-with-dental-floss system that makes up LiveJournal implies that this is not actually possible as a result of the Varnish misconfiguration specifically. It merely gave you the page that it had rendered for another user, instead of one rendered for you. This should have no effect upon your login cookie, and, presumably, this cookie is checked for authentication purposes whenever comments are made, rather than simply relying on whatever user-related authentication data might be embedded in the actual HTML. Again, I don't properly understand how the whole system goes together, but if all that is required to post comments as another user is the embedded data on the comment form, this is a severe security issue.

Thus, I'm led to believe it's an entirely different and undiscussed issue that has allowed people to post comments as others.

That it is undiscussed so far implies that either it is an on-going issue (possible), or one that they have partially solved but are unwilling to bring public attention to until they can confirm that it is completely resolved.

I haven't seen the actual reports of miscommenting, so I can't comment on those. Either way, I'm willing to believe pretty much anything where LiveJournal is concerned - and not in a good way, alas.