Another Mybloglog Exploit – This One A Little More Harmful

Posted by



You know how when you goto peoples websites it knows your there? That is because of your cookie. Unfortunately that same cookie can also be used for a cross site script basically making you execute commands without your knowledge. I do not what to get into the exact code to make this work but I see people are doing it now.

If you look at my profile on MyBlogLog You will see 2 sites that I did not add.

I wonder if Yahoo could be possibly liable here because basically Yahoo is saying that I said I own these sites… yet I did not…

Check out Jason Calacanis community. Evidently in addition to calacanis.com he also owns and authors seoadwords.com …. right….

So what else can people do with cross site xploits on mybloglog? Oh I think we are just seeing the tip.

44 thoughts on “Another Mybloglog Exploit – This One A Little More Harmful

  1. Bradford Knowlton

    Hello Shoe,

    The reason I choose you, is because you have connections to get it fixed. This isn’t fancy hacking. This is the most basic hack.

    Here is how it works:
    Choose ad a Co-Author, type in the MyBlogLog member name. (for example: Shoemoney). This sends out a e-mail to the user account with a link add yourself as a co-author. Now most people won’t open them, or they get picked up as spam.

    Now exam the link:
    http://www.mybloglog.com/buzz/add_author_conf.php?sid=2000117014282382&mid=2000031118260237

    SID = Site ID, which is the community you author
    MID = Member ID, which is the member the e-mail went to

    Now, if you open that url, it will automatically add the author, no clicking, no form etc.

    If you send author requests to a bunch of people. For example, yourself. Then find their memberID, your own SiteID, and insert them into the url, open in a browser. Bam, you have new authors on the community.

    Please let people know at MyBlogLog this needs to be fixed NOW. bugs like this will kill the community. I have posted complete details on the blog listed under Jason community.

    Thanks,
    Bradford Knowlton
    Brad@UCanBOnline.net

  2. Ron J

    I aw this noted on John Chow’s blog and explained on how it’s done on another user’s blog. I agree it’s most likely just the beginning of what users are going to discover.

  3. Meg

    *Should* be easy enough to remove it from your profile though, if you click on the offending community’s “Edit Settings” (when in “my home”) and scroll down to “Remove site/blog from my profile”.

  4. ShoeMoney

    hmm ok so you didnt use the cross site =P well it still works non the less… geez how easy it this?

    Also I dont get any email at all from them so…

  5. dillsmack

    Brad,

    Or you could just put that link on a popular myspace page (or your blog, or forum posts, or all your emails, or anything else you can think of) as an iframe.

    How do you say?

    Voila.

  6. tony greene

    I noticed this came up from a spammy site that was asking people to be “author’s” of there site. That french or belgium thing with meme in it’s name. They have to fix this ASAP or they will be going down the tubes…soon.

  7. Tat

    That’s just dirty. I just realized earlier today that MyBlogLog even sent emails when someone posted a heads up to a profile I was on.

  8. Pingback: New MyBlogLog Exploit That Uses The Co-Author Email Request - Affiliate Marketing Blogger

  9. Jason Bartholme

    I saw another exploit, if you want to call it that. It appears that people are taking advantage of the fact that special characters are being sorted to the top in the “My Communities” section. Browser across some profiles and you will see a few examples. A simple solution would to have the communities come in at random.

  10. Cygnus

    Yeah Shoe$, they added me as well…was pretty pissed. Granted, it takes like 2 seconds to remove those sites, it is a dirty trick. I was thinking about modding their title to something dirty and off TOS, but didn’t want to hurt the other duped authors.

  11. Jack

    I was flattered to be asked to co-author a Blog in Belgium this weekend. And I don’t even speak Flemish!
    I am now saddened to see this is not the case.
    However, I was pleasantly surprised to find that I have won the UK National Lottery and the dear nephew of the late Oil Minister of Nigeria has left me a sum of money.
    So take the good with the bad!

  12. Lee Bandoni

    I was also offered the position of being a blogger in Belguim for a unfinsihed blogspot blog with a messed up template and some stupid text :( Hey on the brightside atleast we know people are looking at our profiles lol

  13. Pingback: Big Problems Facing MyBlogLog

  14. HMTKSteve

    Shoe,

    I was the other blogger who added you as a co-author. I send a private message to you explaining what I did and why. i.e. to get the problem fixed as you have connections.

    MyBlogLog has fixed the problem (I notified them too). The scary part to me is that if someone manages to become a co-author on your site you can’t remove them!

    You can not set one user as the true owner of the the site. Afer I added you as a co-author (proof of concept for the hack) I then tried to remove you and could not do it.

  15. Pingback: MyBlogLog Co-Author Request - Reaper-X .:[ ID ]:.

  16. Bill

    This definitely has to be stopped…I’m starting to see localhost/mybloglog/spamrun.php show up on some referrers, and it looks like someone’s on a mission.

  17. Pingback: MyBlogLog - Is it Adding Value?

  18. Pingback: MyBlogLog Growing Pains » Aspects of Home Business Blog

  19. claude

    Blogmemes is not responsible for the hack which occurred this weekend via the Mybloglog Web service.
    The Mybloglog account of one of the network’s members was pirated without his knowledge.
    We do not yet know why or who might be responsible.
    It is not in line with the network’s code of ethics nor in its interest to proceed in this manner and serves only to discredit our community.
    We are currently suffering many spam attacks on our Web sites, which we are combatting as much as possible.
    We thank the mybloglog team for having now corrected this problem.

    We are currently trying to answer all those who have written to us, to explain the situation to them.

    Claude
    co-founder of the blogmemes network

  20. Pingback: MyBlogLog’s Co-Author Exploit | SYP

  21. Pingback: TechCrunch Japanese アーカイブ » MyBlogLog?著??ブロガー?出入りを?止?高?る??発

  22. Pingback: This Week In SEO - 2/23/07 - TheVanBlog

  23. Pingback: MyBlogLog Bans Blogger; Backlash Begins

  24. Pingback: Joe Whyte - Seo Consulting - Rockyfied » Mybloglog community positioning tactics

  25. Pingback: Shoestring Empire - a webpreneur’s journey - » Socially Hardwired: How I am getting traffic, starting conversation and staying completely connected to the social community

  26. Pingback: techcrunch » Blog Archive » MyBlogLog Bans Blogger; Backlash Begins

  27. Pingback: This Week In SEO - 2/23/07 | TheVanBlog

  28. Pingback: MyBlogLog Insecure | Blogging Sueblimely

  29. Pingback: This Week In SEO - 2/23/07 - Vanseo Design

Comments are closed.