Dan Goodin reports:
LiveJournal’s security team has disabled some media features on the blogging site after a quick-spreading worm stole user email addresses and caused entries designated as private to be available to everyone.
The self-propagating exploit spread to users who were logged in and did nothing more than view a LiveJournal posting that was already infected. Affected account holders had their email addresses stolen and found that their privacy settings were lowered so that posts that may have been restricted were generally available. The worm then embedded code into infected accounts that attacked other LiveJournal users.
The worm spread through malicious Adobe Flash media files that used “cross-domain scripting” to make the unauthorized account changes.
Read more on The Register.