I have just discovered a major flaw in a MyBlogLog plug-in for Wordpress blogs. It involves comments.

If you are using MyBlogLog and your blog has the MyAvatars plug-in installed you might want to know something...

If anyone leaves a comment on your blog using the name of an existing MyBlogLog member the comment will have their avatar and appear to be left by that person!

Don't believe me? Go to this blog that uses this plugin and use my information to leave your comment:

HMTKSteve
steve@hmtk.com
http://www.hmtk.com/blog

and see what happens!

In fact, go to any blog on the internet that uses this plugin and use my information! The world will think it is me!

The problem lies in that the plug-in only looks at the email address you use when filling out the comment. It doesn't care who you are, it only cares about the email address. This can lead to all sorts of abuse as you run all over the internet leaveing comments as if you were someone else!

I grant that you can already do this but... There is a certain amount of trust you place in a comment when you see the member's avatar next to the comment.

This could be fixed by having the plug-in verify that the person is actually logged in to MyBlogLog when they leave the comment but, that would have to be done by the MyBlogLog developers themselves rather than an outside developer.

UPDATE
Ryan has just pointed out that it is not based on email but URL!!!