Another Mybloglog Exploit - This One A Little More Harmful
You know how when you goto peoples websites it knows your there? That is because of your cookie. Unfortunately that same cookie can also be used for a cross site script basically making you execute commands without your knowledge. I do not what to get into the exact code to make this work but I see people are doing it now.
If you look at my profile on MyBlogLog You will see 2 sites that I did not add.
I wonder if Yahoo could be possibly liable here because basically Yahoo is saying that I said I own these sites… yet I did not…
Check out Jason Calacanis community. Evidently in addition to calacanis.com he also owns and authors seoadwords.com …. right….
So what else can people do with cross site xploits on mybloglog? Oh I think we are just seeing the tip.
- 43 Comments. What say you?
- RSS
- Delicious
- StumbleUpon
- Furl
- Digg
Hello Shoe,
The reason I choose you, is because you have connections to get it fixed. This isn’t fancy hacking. This is the most basic hack.
Here is how it works:
Choose ad a Co-Author, type in the MyBlogLog member name. (for example: Shoemoney). This sends out a e-mail to the user account with a link add yourself as a co-author. Now most people won’t open them, or they get picked up as spam.
Now exam the link:
http://www.mybloglog.com/buzz/add_author_conf.php?sid=2000117014282382&mid=2000031118260237
SID = Site ID, which is the community you author
MID = Member ID, which is the member the e-mail went to
Now, if you open that url, it will automatically add the author, no clicking, no form etc.
If you send author requests to a bunch of people. For example, yourself. Then find their memberID, your own SiteID, and insert them into the url, open in a browser. Bam, you have new authors on the community.
Please let people know at MyBlogLog this needs to be fixed NOW. bugs like this will kill the community. I have posted complete details on the blog listed under Jason community.
Thanks,
Bradford Knowlton
Brad@UCanBOnline.net
[Reply]
I aw this noted on John Chow’s blog and explained on how it’s done on another user’s blog. I agree it’s most likely just the beginning of what users are going to discover.
[Reply]
*Should* be easy enough to remove it from your profile though, if you click on the offending community’s “Edit Settings” (when in “my home”) and scroll down to “Remove site/blog from my profile”.
[Reply]
hmm ok so you didnt use the cross site =P well it still works non the less… geez how easy it this?
Also I dont get any email at all from them so…
[Reply]
I think someone needs more indoctrination with the “never trust users” school of thought.
[Reply]
well unless you never look at your profile then find out someday someone added a bunch of porn sites =(
[Reply]
I’ve received one of those emails. It just didn’t made sense to have someone you didn’t know to be a co-author so I had it labeled as spam.
[Reply]
Brad,
Or you could just put that link on a popular myspace page (or your blog, or forum posts, or all your emails, or anything else you can think of) as an iframe.
How do you say?
Voila.
[Reply]
So it *should* be pretty easy for you to cancel the transactions for things I bought with your stolen credit card, right?
[Reply]
Fair point
[Reply]
Ah ha - so that was you
[Reply]
I noticed this came up from a spammy site that was asking people to be “author’s” of there site. That french or belgium thing with meme in it’s name. They have to fix this ASAP or they will be going down the tubes…soon.
[Reply]
Like shoe said we’re just seeing the tip of this. But hey that’s expected this is an ever evolving industry.
[Reply]
That’s just dirty. I just realized earlier today that MyBlogLog even sent emails when someone posted a heads up to a profile I was on.
[Reply]
ya I thought it was really awesome at first but really the privacy issues now kind of give me the creeps
[Reply]
I saw another exploit, if you want to call it that. It appears that people are taking advantage of the fact that special characters are being sorted to the top in the “My Communities” section. Browser across some profiles and you will see a few examples. A simple solution would to have the communities come in at random.
[Reply]
It’s turning into a new form of myspace - spam, spam, and more spam. Just like everything.
-Nick
[Reply]
Yeah Shoe$, they added me as well…was pretty pissed. Granted, it takes like 2 seconds to remove those sites, it is a dirty trick. I was thinking about modding their title to something dirty and off TOS, but didn’t want to hurt the other duped authors.
[Reply]
I was flattered to be asked to co-author a Blog in Belgium this weekend. And I don’t even speak Flemish!
I am now saddened to see this is not the case.
However, I was pleasantly surprised to find that I have won the UK National Lottery and the dear nephew of the late Oil Minister of Nigeria has left me a sum of money.
So take the good with the bad!
[Reply]
I was also offered the position of being a blogger in Belguim for a unfinsihed blogspot blog with a messed up template and some stupid text
Hey on the brightside atleast we know people are looking at our profiles lol
[Reply]
There are no TOS for mybloglog. Ever notice that?
[Reply]
Shoe,
I was the other blogger who added you as a co-author. I send a private message to you explaining what I did and why. i.e. to get the problem fixed as you have connections.
MyBlogLog has fixed the problem (I notified them too). The scary part to me is that if someone manages to become a co-author on your site you can’t remove them!
You can not set one user as the true owner of the the site. Afer I added you as a co-author (proof of concept for the hack) I then tried to remove you and could not do it.
[Reply]
It is super easy. I’m only surprised it was not over-exploited.
[Reply]
This was a mostly harmless hack.
[Reply]
This definitely has to be stopped…I’m starting to see localhost/mybloglog/spamrun.php show up on some referrers, and it looks like someone’s on a mission.
[Reply]
ya btw nice spam in your comment btw I moderate all outbound links so don’t try that crap again
[Reply]
Shoe — always nice to see you holding our feet to the fire. We posted a pretty lengthy article about what happened and what we’re doing moving forward. http://mybloglogb.typepad.com/my_weblog/2007/02/weekend_spamtac.html
[Reply]
Yeah i got one of those stupid emails as well, almost clicked the link until i looked at the whole URL
[Reply]
Blogmemes is not responsible for the hack which occurred this weekend via the Mybloglog Web service.
The Mybloglog account of one of the network’s members was pirated without his knowledge.
We do not yet know why or who might be responsible.
It is not in line with the network’s code of ethics nor in its interest to proceed in this manner and serves only to discredit our community.
We are currently suffering many spam attacks on our Web sites, which we are combatting as much as possible.
We thank the mybloglog team for having now corrected this problem.
We are currently trying to answer all those who have written to us, to explain the situation to them.
Claude
co-founder of the blogmemes network
[Reply]
[...] just posted about another MyBlogLog exploit that’s currently happening. In this exploit, a spammer can add his site to the list of [...]
[...] 5 links” to enter in their own spammy keyword-laced links. Another is a way that uses a MyBlogLog cookie exploit to make people seem like they author websites (when they in reality do not). To me, the entire [...]
[...] : it seems that there’s other people (famous people or the A-List Blogger such as Shoemoney, John Chow, Darren Rowse, and Danny Sullivan) that got the same problem like me too. And now i [...]
[...] posted that they’d been added as authors on blogs that they didn’t write on including ShoeMoney, John Chow, Danny Sullivan and Web Metrics Guru. Reading the comments on these blogs shows that [...]
[...] Like thousands of other members, the other day I got an email from someone in Belguim asking me to be a coauthor on his blog. I thought that was really weird, obviously. Turns out they were taking advantage of an exploit, which I read about on ShoeMoney’s blog. [...]
[...] then discovered the exact same thing reported on Blogpond. Apparently both Jeremy Shoemaker and John Chow were affected and added to be the co-authors of that spammy community. If you [...]
[...] Shoemoneyã?¯é?ŽåŽ»ã?«ã‚‚様々ã?ª ãƒ?ックãƒ?タを出ã?—ã?¦ã?„ã‚‹ã?Œã€?å ªå¿?袋ã?®ç·’ã?Œåˆ‡ã‚Œã?ŸYahoo!ã?Œé‰„柱を下ã?™ã?®ã?¯ä»Šå›žã?®æŠ•ç¨¿ã?Œåˆ?ã‚?ã?¦ã? 。ã?“ã?®ãƒ?ックã?§ã?¯åˆ¥ã?®ãƒ¦ãƒ¼ã‚¶ãƒ¼ã?«æˆ?ã‚Šã?™ã?¾ã?—ã?¦ã‚¦ã‚§ãƒ–サーフィンã?™ã‚‹æ–¹æ³•ã‚’照会ã?—ã?¦ã?„る。ã?ªã?®ã?§ã€?自分ã?®ã‚³ãƒ³ãƒ”ュータã?®ã‚³ãƒ¼ãƒ‰ã‚’å°‘ã?—書ã??æ?›ã?ˆã€?MyBlogLogã?®æœ€æ–°èªã?¿å?–り専用ウィジェットをインストールã?—ã?¦ã€?誰ã?‹æˆ?ã‚Šã?™ã?¾ã?—ã?Ÿã?„MyBlogLogユーザーã?®ãƒ—ãƒãƒ•ã‚£ãƒ¼ãƒ«ã?¨ã‚¢ãƒ?ターを使ã?£ã?¦ã‚µã‚¤ãƒˆã?«è¡Œã?‘ã?°ã€?ã??ã?®ã‚¦ã‚£ã‚¸ã‚§ãƒƒãƒˆã?«ã??ã?®ãƒ¦ãƒ¼ã‚¶ãƒ¼ã?®è¡Œå‹•ã?¨ã?—ã?¦è¡¨ç¤ºã?•ã‚Œã‚‹ã€?ã?¨ã?„ã?†ã?“ã?¨ã? 。 [...]
[...] Another Mybloglog Exploit - This One A Little More Harmful [...]
[...] has posted various exploits in the past, but it wasn’t til this latest one that Yahoo! decided enough was enough. The [...]
[...] MyBlogLog Showing Communities I did not Join [...]
[...] a few spamming problems in this network. Just check out these two article from Shoemoney…1 2 personally as it stands right now the risk reward ratio make it worth it to me, but I reserve the [...]
[...] has posted various exploits in the past, but it wasn’t til this latest one that Yahoo! decided enough was enough. The exploit [...]
[...] Another Mybloglog Exploit - This One A Little More Harmful [...]
[...] am not sure if these security problems are part of the same MBL issues that Shoemoney revealed last year or if other loopholes have been discovered since. Shoemoney was banned from MBL and [...]