In this weeks MyBlogLog hack of the week we show you how to surf the web as other MyBlogLog members.
This one is really pretty simple. If you are using Firefox just open up your cookies.txt file and look for the line that says:
.mybloglog.com TRUE / FALSE 120364175 mbl_sid 2006122713042995
Now if you have never used mybloglog just paste in the above line and restart Firefox to surf the web as me.
If you want to be someone else just change that last number to whoever you want to be. Here are a few noteable people that it could be fun to surf the web as….
Scott Rafer – 20070220175514
Jason Calacanis – 20070220172928
Jeremy Zawodny – 20070220173258
Gray Wolf – 2006121823222200
Neil Patel – 2006112001595691
Chris Hooley – 2006122217174655
Tech Crunch – 2005092013300934
Andy Beal – 2006120114424866
Loren Baker – 2006120114424866
Danny Sullivan – 2006112409071004
Kid Disco – 2006122401534873
Barry Schwartz – 2007011808190075
Again… you actually don’t even need a mybloglog account just put that line in your cookies.txt file.
Fun stuff!
Ever wonder how the spammers are getting so many links in your “hot communities” that you are never a member of? We will cover that next week!
Hilarious!
Quick, somebody setup a site with a cross reference to everyone!
I wanna be Matt Cutts, no Darren Rowse, no, Greg! Ya Greg B.
Holy crap that’s so awesome. 😀
all you have to do is look at there avatars to get there ssid numbers
Hacking MBL is a sport for Jeremy. 😉
To be honest its not even a challenge and I would not really call these hacks just more like fun tricks. I am glad they showed us the way to point out these things is publicly. Its much more fun.
Ouch. Just, ouch.
Well I see you added my name to the list. If my wife finds my profile on a porn blog, you can do the explaining! 😉
These guys are really having a bad week 🙂
[…] Shoemoney has the scoop […]
ShoeMoney mentioned it above.. but to clarify:
To get someone’s MBL id just go to a page with MBL avatars being displayed:
http://www.mybloglog.com/buzz/members/rafer/
Right-click the avatar you want, and click View or Copy Location.
Then you have a url ending in: 2005030322105594_avatar.jpg
The string of numbers is the SID.
Hey MyBlogLog idiots: at the very freaking least, obfuscate between the private key (member SID) and the very public avatar key.
[…] MyBlogLog widget as somebody else. now this is a flaw that really needs to get fixed right away and thanks should go out to Shoemonkey for finding it but really did you then need to provide a list of bloggers for people to […]
You’re scary sometimes, you know that, right?
Hey, can y’all verify for me that this has been patched? Thanks!
Nope. Not even close.
I am still surfing as shoemoney here!
[…] Jeremy of ShoeMoney shows how you can surf the web as other MyBlogLog members. […]
Hey Blue — can you tell me which site you’re on that shows you as Shoe? It’s possible that one of our scripts didn’t get upgraded and it would be great to know where you’re seeing this.
[…] how to hack mybloglog via Jason. […]
mysql> use mybloglogDatabase changed
mysql> select count(*) from member;
+----------+
| count(*) |
+----------+
| 67514 |
+----------+
1 row in set (0.01 sec)
mysql> select count(*) from website;
+----------+
| count(*) |
+----------+
| 53195 |
+----------+
1 row in set (0.00 sec)
mysql> select * from member order by rand() limit 10;
+---------------+------------------+-----+---------+-------+------+---------------------+-----+
| nick | id | sex | friends | comms | mail | since | del |
+---------------+------------------+-----+---------+-------+------+---------------------+-----+
| Kogol | 2007013005260045 | | 1 | 0 | | 2007-01-30 00:00:00 | 0 |
| jagsby | 2007021612225968 | | 1 | 0 | | 2007-02-16 00:00:00 | 0 |
| frasernz | 2007011020323590 | | 1 | 0 | | 2007-01-10 00:00:00 | 0 |
| ScottKustes | 2007021212080579 | m | 1 | 0 | | 2007-02-12 00:00:00 | 0 |
| brandonwu | 2006102416373016 | | 1 | 0 | | 2006-10-24 00:00:00 | 0 |
| RichFeng | 2007012712233113 | | 1 | 1 | | 2007-01-27 00:00:00 | 0 |
| greenness | 2007021806453463 | | 1 | 0 | | 2007-02-18 00:00:00 | 0 |
| Helgeduelbek | 2007010506285072 | m | 5 | 4 | | 2007-01-05 00:00:00 | 0 |
| hesofktz | 2006111420584189 | | 1 | 0 | | 2006-11-14 00:00:00 | 0 |
| DannyAtDePaul | 2006122309374589 | | 1 | 0 | | 2006-12-23 00:00:00 | 0 |
+---------------+------------------+-----+---------+-------+------+---------------------+-----+
10 rows in set (1.11 sec)
mysql> select * from website order by rand() limit 10;
+------------------+----------------------------------------+
| uid | url |
+------------------+----------------------------------------+
| 2007021222173114 | blog.yam.com/tpsei |
| 2007010901144612 | www.mychristiannetwork.com/blog/mcncyo |
| 2007012019374188 | www.everythingmining.com |
| 2006090810070427 | dncrx.spaces.live.com |
| 2006112003035485 | www.ideamimarlik.net |
| 2006102622225563 | www.askrackmountranger.com |
| 2007010614392550 | sassygirladventures.blogspot.com |
| 2006041613491844 | www.usarchy.com |
| 2007010901394997 | www.gomojo.info |
| 2006110814400659 | blog.crankingwidgets.com |
+------------------+----------------------------------------+
10 rows in set (0.49 sec)
[…] ShoeMoney zeigt, wie man durch das Web per MyBlogLog als Michael Arrington oder Jason Calacanis surfen kann (oder auch als jemand anderes…). Hat Ihnen der Artikel gefallen? Abonnieren Sie doch meinen Feed! […]
lol you scraped there whole site and put it in your db?
Hilarious…the MBL guys needs some makeover now.
Man, you scraped the whole site?!? You should have just waited a few weeks for the API.
-T
[…] [Via: ShoeMoney] […]
Welcome to the big leagues.
LOL this should be fun to play with 😉 I hope mybloglog is watching your blog jeremy so they can fix this issue.
M*tha F*ckin Genius! You the man Shoe! I want to be your Padawan Learner so I can be come the next Shoemoney Jedi Pimp!
Now you can build your own site, with a ton of ringtone ads. Same content, same images, but more ads, and more money.
This is slowly becoming the end of MBL as we once knew it back in 06.
[…] « MyBlogLog Trick – How To Surf The Web As ShoeMoney […]
That’s a real shame – they really didn’t benefit from banning you. If anything, they’ve drawn more attention to their faults without eliminating the true problem – their site.
There’s probably a lesson here though. Whenever you’re going to “stick it to the man”, put it on a fake myspace site and just link to that!
Have a great day!
Kumiko (although my mybloglog avatar may be John Chow)
[…] Shoemoney has been messing with security flaws in MyBlogLog and posting about them. MyBlogLog got fed up and […]
That’s really scary. How did this system go live that way?
Anyways, I think they fixed it. Right now if I try this, once I go to MyBlogLog the sid is changed again.
[…] who might want to be Danny Sullivan or Jeremy Zawodny could have used a tip Schoemaker published to do that with MyBlogLog. The Yahoo-owned blogging community service used […]
[…] is prefaced with my user id seems to be present. Perhaps they have since fixed the problem that ShoeMoney discussed a couple days ago, but banning him for making the issue public is unnecessary. They have essentially banned one of […]
Loren Baker – 2006120114424866
LOL!
[…] seems to involve Shoemoney’s figuring out to masquerade as other “people” by altering your cookie to match another individuals’ unique MBL ID — and furthermore, decided to publish a list of famous bloggers’ IDs for folks to […]
I wish I had never signed up to MBL now….
[…] has posted various exploits in the past, but it wasn’t til this latest one that Yahoo! decided enough was enough. The exploit he posted about was how you could surf the web […]
[…] has been written about the “Shoemoney Affair,” in which the blogger known as Shoemoney wrote about a MyBlogLog hack that allowed unscrupulous types to spoof their identities, and was subsequently […]
[…] Shoemoney has been a thorn in their side, calling them out on their shortcomings. When he finally exposed a security flaw and showed people how to visit blogs as other MyBlogLog users, MyBlogLog banned […]
[…] has posted various exploits in the past, but it wasn’t til this latest one that Yahoo! decided enough was enough. The exploit he posted about was how you could surf the web […]
Scary stuff. Hey, Shoe…will you visit my blog 10 times please? I need some help.
The exploit could hurt others reputations maybe, but otherwise you’re just freely advertising for them.
[…] about these issues was ShoeMoney. He was pointing out flaws and also pointed out a way people could surf the web pretending to be any member of MyBlogLog they wanted. This action got him banned from MyBlogLog. This caused […]
Ouch. These guys need to get it together.
[…] came a number of people looking use MyBlogLog for financial gains. From R-Rated avatars to people pretending to be somebody else to other commercial avatars like Mr. Online Pharmacy, there has been a glut of […]
They need some real help over there, horrible programming.
[…] I can’t do a post on MyBlogLog holes without mentioning Shoemoney’s from a few weeks […]
[…] I can’t do a post on MyBlogLog holes without mentioning Shoemoney’s from a few weeks […]
and why would your wife be on a porn blog to see it?
[…] (ומי יוריד ×œ×™× ×§ שהש×?יר בהערה Tech Crunch ?) ומסתבר שזה ×?פילו די פשוט (לבעלי יומרות קידו×? ×”×?תרי×? ×©×‘×™× ×™× ×• זהו בכלל בלוג ש×?× ×™ […]
[…] MyBlogLog Trick – How To Surf The Web As ShoeMoney […]
[…] MyBlogLog hack of the week – by Shoemoney […]
[…] MyBlogLog hacks can be found here and here which got the ‘author’ temporarily […]
[…] bloggers such as Shoemoney. Jeremy found a security glitch in the code that allowed people to surf the net as someone else. They banned him, then later […]
Hi Shoe, I was just getting into all this Social Networking…Digital Signature stuff and then read your post 🙁 Not sure what to do now as MBL has come rrecommended from a number of top blogs!
[…] How To Surf The Web As ShoeMoney MyBlogLog Showing Communities I did not Join ? […]
[…] Beal as a spammer from the whole mybloglog thing so I outed a few small exploits Here and here and here then I was banned then dillsmack uncovered that Yahoo had implemented code specifically to track […]
old post but nevertheless interesting!
Isn’t that illegal, impersonating someone?
I do agree with all the ideas you have presented in your post. They are very convincing and will certainly work. Still, the posts are very short for newbies. Could you please extend them a little from next time? Thanks for the post.
Hey blog is mentioned on a squidoo lens which is not at all related to the content here :S, also just for ur info your rss is not working. Peace, Rick
Great information. I got lucky and found your site from a random Google search.
I am glad to be one of the visitants on this outstanding internet site (:, thanks for putting up.
[…] you probably heard the big “to do” about Shoemoney being dropped from MyBlogLog after he posted the User IDs of other members on his site… a flaw in MBL’s privacy model. Shoemoney has since been reinstated after a note from […]
It is actually a nice and useful piece of information. I am glad that you just shared this helpful info with us. Please stay us up to date like this. Thank you for sharing.