MyBlogLog Hack: Make anyone your co-author
After reading a post on John Chow's blog mybloglog open to attacks I decided to take a moment and figure this hack out. This hack allows an unknown blogger to attach their blog to the owner of a very popular community.
It is very simple and points out a serious security problem with MyBlogLog's verification system.
Normally, in order to add a co-author to your blog the co-author has to approve you via an email link. One might think there would be a hidden security code in that link? Guess again!
In order to add anyone as a co-author of any blog all you need to know is two things:
1) The blog ID
2) The member ID
The first think you do is make a normal co-author request. Since you know they will never actually approve it you make up your own approval code instead.
Now, you just build an http request as such: http://www.mybloglog.com/buzz/add_author_conf.php?sid=[blog ID]&mid=[member ID]
That is it.
Pretty scary, no?
PS: Thankfully this hack does not work in reverse. You can not add yourself as a co-author of someone else's blog.
How does MyBlogLog fix this?
1) In the verification email include a decline option
2) Add a secret key to the add_author_conf.php function
UPDATE
The folks at MyBlogLog have fixed this security hole. To stop this hole from working they have changed the approval function to only work if the member being added as a co-author is the one logged in and following the link.
- What’s wrong with MyBlogLog?
- My MyBlogLog wish list
- MyBlogLog adds “auto-join” to communities
- Yahoo adds Flickr to MyBlogLog
- Major flaw in MyBlogLog plug-in for WordPress
Do you really think it is a good idea laying out the complete details for how to pull this off? I figured it out on my own, and it isn’t hard. But now people have it laid out, in plain English. You did leave out some important details, such as how to find the memberID, but I’m sure people get figure it out pretty quickly. I hope people at MyBlogLog don’t take a holiday weekend. This could be a huge issue if they don’t fix it soon.
Thanks,
Bradford Knowlton
http://www.wig-dig.com
http://www.seoadwords.com
I contacted them as soon as I published this post. They informed me that they are working on fixing this and will report on it in their blog.
[…] enough? It gets worse, you don’t even need to phish! Normally, in order to add a co-author to your blog the […]
This is unbelievable. I was wondering why I was getting so many co-author requests. Luckily I’m extremely paranoid (it finally pays off) so didn’t click on it.
You don’t have to click on them.
When they issue the request it puts the request in the system. The spammer then builds their own http/php command as shown above and they approve the request for you!
[…] MyBlogLog Hack: Make anyone your co-author MLB is becoming the spammer’s tool of choice. They sure have a long way to go! (tags: mybloglog) […]
Heya. We’ve posted a pretty lengthy article about what happened and what we’re doing moving forward. I hope you’ll check it out and let us know your thoughts. http://mybloglogb.typepad.com/my_weblog/2007/02/weekend_spamtac.html
[…] Is this going to be an ongoing problem with weekends? The last debacle occurred over a long […]