the LJ auto-posting hack

is (currently) absolutely harmless, in whatever form it is. yeah, it may post something you didn't mean to post, but you can always delete it. This includes the sausage-length meme, both english and russian, and the "click here" which magically posts. There is NO way it can grab passwords or cookies that LJ is using. cookies don't work like that, and passwords in LJ are well-encrypted and well hidden and not "fetchable" by any means that any web service, web browser or javascript hack could grab.

like with most sites, the only way to get a password back (or a new one) is to click a link and it will EMAIL a password to the ORIGINAL account. the auto-post hack is a one-shot thing, not something that someone else could use to "permanently" post to your account.

you don't have to log out / log in, you don't have to change your passwords. just delete any post you don't recall posting, and lj will have a permanent fix soon.

for the geek-inclined, they're talking about how to change LJ to stop this kind of antics over at lj_dev.

Update, it looks like a fix has been applied, because replying to comment threads through email no longer works, and there are now "hidden" parameters in the html form for posting or updating.