Another Mybloglog Exploit – This One A Little More Harmful

by Jeremy Schoemaker on February 18, 2007 · 44 comments

You know how when you goto peoples websites it knows your there? That is because of your cookie. Unfortunately that same cookie can also be used for a cross site script basically making you execute commands without your knowledge. I do not what to get into the exact code to make this work but I see people are doing it now.

If you look at my profile on MyBlogLog You will see 2 sites that I did not add.

I wonder if Yahoo could be possibly liable here because basically Yahoo is saying that I said I own these sites… yet I did not…

Check out Jason Calacanis community. Evidently in addition to calacanis.com he also owns and authors seoadwords.com …. right….

So what else can people do with cross site xploits on mybloglog? Oh I think we are just seeing the tip.

full disclosure

About the author...

– who has written 2858 posts on ShoeMoney.com.

Jeremy "ShoeMoney" Schoemaker is the founder & CEO of the ShoeMoney Blog, Elite Retreat Internet Conference, & the PAR Program. In 2013 Jeremy released his #1 Amazon Best selling Autobiography titled "Nothing's Changed But My Change" - The ShoeMoney Story. Jeremy currently lives in Lincoln Nebraska with his wife and 2 daughters.


Jeremy recommends you check out these amazing posts:

  1. Twitter___Jeremy_Schoemaker__The_Bluelight_Specials_are_...-20090725-175527 How Do I Make Money with Twitter? – Past, Present & Future
  2. IMG_0865 Where My Hatred of SEO Comes From
  3. Bad news #3 Why You Should Embrace Negative Press

{ 29 comments }

1 Bradford Knowlton

Hello Shoe,

The reason I choose you, is because you have connections to get it fixed. This isn’t fancy hacking. This is the most basic hack.

Here is how it works:
Choose ad a Co-Author, type in the MyBlogLog member name. (for example: Shoemoney). This sends out a e-mail to the user account with a link add yourself as a co-author. Now most people won’t open them, or they get picked up as spam.

Now exam the link:
http://www.mybloglog.com/buzz/add_author_conf.php?sid=2000117014282382&mid=2000031118260237

SID = Site ID, which is the community you author
MID = Member ID, which is the member the e-mail went to

Now, if you open that url, it will automatically add the author, no clicking, no form etc.

If you send author requests to a bunch of people. For example, yourself. Then find their memberID, your own SiteID, and insert them into the url, open in a browser. Bam, you have new authors on the community.

Please let people know at MyBlogLog this needs to be fixed NOW. bugs like this will kill the community. I have posted complete details on the blog listed under Jason community.

Thanks,
Bradford Knowlton
Brad@UCanBOnline.net

2 Ron J

I aw this noted on John Chow’s blog and explained on how it’s done on another user’s blog. I agree it’s most likely just the beginning of what users are going to discover.

3 Meg

*Should* be easy enough to remove it from your profile though, if you click on the offending community’s “Edit Settings” (when in “my home”) and scroll down to “Remove site/blog from my profile”.

4 ShoeMoney

hmm ok so you didnt use the cross site =P well it still works non the less… geez how easy it this?

Also I dont get any email at all from them so…

5 engtech

I think someone needs more indoctrination with the “never trust users” school of thought.

6 ShoeMoney

well unless you never look at your profile then find out someday someone added a bunch of porn sites =(

7 Leonard Chen

I’ve received one of those emails. It just didn’t made sense to have someone you didn’t know to be a co-author so I had it labeled as spam.

8 dillsmack

Brad,

Or you could just put that link on a popular myspace page (or your blog, or forum posts, or all your emails, or anything else you can think of) as an iframe.

How do you say?

Voila.

9 dillsmack

So it *should* be pretty easy for you to cancel the transactions for things I bought with your stolen credit card, right?

10 Meg

Fair point

11 Meg

Ah ha – so that was you ;)

12 tony greene

I noticed this came up from a spammy site that was asking people to be “author’s” of there site. That french or belgium thing with meme in it’s name. They have to fix this ASAP or they will be going down the tubes…soon.

13 IslandGiRL

Like shoe said we’re just seeing the tip of this. But hey that’s expected this is an ever evolving industry.

14 Tat

That’s just dirty. I just realized earlier today that MyBlogLog even sent emails when someone posted a heads up to a profile I was on.

15 ShoeMoney

ya I thought it was really awesome at first but really the privacy issues now kind of give me the creeps

16 Jason Bartholme

I saw another exploit, if you want to call it that. It appears that people are taking advantage of the fact that special characters are being sorted to the top in the “My Communities” section. Browser across some profiles and you will see a few examples. A simple solution would to have the communities come in at random.

17 Nick

It’s turning into a new form of myspace – spam, spam, and more spam. Just like everything.

-Nick

18 Cygnus

Yeah Shoe$, they added me as well…was pretty pissed. Granted, it takes like 2 seconds to remove those sites, it is a dirty trick. I was thinking about modding their title to something dirty and off TOS, but didn’t want to hurt the other duped authors.

19 Jack

I was flattered to be asked to co-author a Blog in Belgium this weekend. And I don’t even speak Flemish!
I am now saddened to see this is not the case.
However, I was pleasantly surprised to find that I have won the UK National Lottery and the dear nephew of the late Oil Minister of Nigeria has left me a sum of money.
So take the good with the bad!

20 Lee Bandoni

I was also offered the position of being a blogger in Belguim for a unfinsihed blogspot blog with a messed up template and some stupid text :( Hey on the brightside atleast we know people are looking at our profiles lol

21 Bradford Knowlton

There are no TOS for mybloglog. Ever notice that?

22 HMTKSteve

Shoe,

I was the other blogger who added you as a co-author. I send a private message to you explaining what I did and why. i.e. to get the problem fixed as you have connections.

MyBlogLog has fixed the problem (I notified them too). The scary part to me is that if someone manages to become a co-author on your site you can’t remove them!

You can not set one user as the true owner of the the site. Afer I added you as a co-author (proof of concept for the hack) I then tried to remove you and could not do it.

23 HMTKSteve

It is super easy. I’m only surprised it was not over-exploited.

24 HMTKSteve

This was a mostly harmless hack.

25 Bill

This definitely has to be stopped…I’m starting to see localhost/mybloglog/spamrun.php show up on some referrers, and it looks like someone’s on a mission.

26 ShoeMoney

ya btw nice spam in your comment btw I moderate all outbound links so don’t try that crap again

27 Eric Marcoullier

Shoe — always nice to see you holding our feet to the fire. We posted a pretty lengthy article about what happened and what we’re doing moving forward. http://mybloglogb.typepad.com/my_weblog/2007/02/weekend_spamtac.html

28 Stu

Yeah i got one of those stupid emails as well, almost clicked the link until i looked at the whole URL

29 claude

Blogmemes is not responsible for the hack which occurred this weekend via the Mybloglog Web service.
The Mybloglog account of one of the network’s members was pirated without his knowledge.
We do not yet know why or who might be responsible.
It is not in line with the network’s code of ethics nor in its interest to proceed in this manner and serves only to discredit our community.
We are currently suffering many spam attacks on our Web sites, which we are combatting as much as possible.
We thank the mybloglog team for having now corrected this problem.

We are currently trying to answer all those who have written to us, to explain the situation to them.

Claude
co-founder of the blogmemes network

Previous post:

Next post: