MyBlogLog Open To Attacks
written by John Chow
This morning, while I was checking my MyBlogLog community, I noticed that another site has mysteriously appeared on the list of sites and blog I author.
I don’t know what site that is or how it got there but it seems someone has figured out a way to get their blog listed in the Sites and Blogs I Author section of MyBlogLog members. Checking out the mystery blog shows the spammer managed to get himself listed onto other MyBlogLog accounts, including Shoemoney.
It’s clear the spammer is targeting popular MyblogLog communities to get his site in front of as many people as possible. So far, it looks like I’m the only one who has removed the offending blog. No doubt the spammer planned his attack on the weekend thinking the blog owners will be away till Monday.
MyblogLog seems to be growing faster than the Yahoo can handle. Spam is becoming a major problem and there are countless exploits that a spammer can use to gain access to the community. Yahoo needs to shut this crap down before MyBlogLog becomes another MySpace.
Find out what I am doing right now by following me on Twitter! If you like this post then please consider subscribing to my full feed RSS. You can also subscribe by Email and have new posts sent directly to your inbox.
Make Money Online with John Chow's Ad Network - Join TTZ Media Now!
(1 votes, average: 5 out of 5)
Loading ...
Here's A Few More Related Posts
Yep — I accepted one invitation to a MyBlogLog community over the weekend (my first one), and was flooded with e-mail spam within 30 minutes. I quit the community and likely won’t give MyBlogLog another chance…
I received a phishing style email from someone over the weekend wanting me to become a co-author of another blog. Except I’d neve heard of the blog and the person who was meant to be offering had never visited my profile on mybloglog.
I wonder how long it will take them to plug the holes that allowed you to become the owner of another blog?
I get so much of that crap through mybloglog too… some guy going “thanks for visiting my site” or “wow great blog you have there” and what not.. it’s crap.
I think I know how he did it.
If you see mt blog show up on your list you will know
Check it out John Chow, you are now my co-author!!!
That was a super easy hack. I may have to blog about this one!
Yep. I say this is something to blog about.
Blog article complete. It should show up as a trackback here.
Cool !! Nice articles guys
Yeah, Yahoo needs to handle all these issues - Shoemoney also reported another MyBlogLog exploit a while back…
My guess is that the person in question has multiple mybloglog accounts and he experimented with the add co-author feature to the point where he figured out how to write up the confirmation link that comes via email. It’s possible that the email verification link is the weak point.
John, check your spam filter for a co-author request from his account.
Wait a minute… When you were co-author, did you have any special admin powers?
This is a real shame as MyBlogLog has so much potential, I’ve read various other stories similar to this about people finding exploits.
[...] reading a post on John Chow’s blog mybloglog open to attacks. This hack allows an unknown blogger to attach their blog to the owner of a very popular community. [...]
I received one over the weekend from a Belgium site that blogs about Zune. They were asking me to join the blog as a co-author. Considering I that it was a non-english blog and that I didn’t know who it was, I just deleted the email. These Spam guys just find every loophole and spoil it for everyone don’t they. Pretty sickening.
While these spam guys exploit weaknesses in the system, it provides an opportunity for sites such as mybloglog to go and fix these issues resulting in a more secure site.
On the other hand, if they just sit idle and don’t fix these issues swiftly, the whole system will just collapse as bloggers move on to better services out there.
This spam thing is becoming a big problem, not just limited to big communities but also small ones. As Mark pointed out regarding the Belgian site. Spammers always find a way out!
Well thankfully my blog is so low traffic that I haven’t been subject to anything like this
Score one for flying under the radar!
I had four emails last night from people inviting me to become authors of blog communities that I’d never heard of before - its quickly becoming a spam den over there
I know it’s not the point, but it is pretty easy to remove the blog from your profile (see my latest post). It does highlight some issues though…
I received a phishing email for co-ownership from that Belgium blog as well. It will be sad if mbl continues to deteriorate ;/
hmmm…I’ve been hearing a bit about this mybloglog lately. Mainly about exploits, but it seems to be picking up some pretty good steam. I’ll give it a try.
The exploit is probably because of A) There is a huge flaw in their verification code algorithm, or B) Some fool forgot to close off a database insert flaw, most likely because of the lack of string checks.
Most likely it is B. Most security flaws are caused by a lack of data checks.
Anyways, I’m getting pretty fed up with MyBlogLog as well. When I first joined a few weeks back it was fine, and about two weeks ago I noticed people with names like “FREEWINDOWSVISTA” visiting my profile. Stupid affiliate spam site people.
What they need to do is add in a user voting system, so if a site gets below a certain rating it is automatically put up for moderation. If the site is deemed to be a spam site it will be banned forever.
Hello John,
Sorry for the targeting your awesome blog. I’m a regular reader, and only choose people to target which I knew might have connections inside of MyBlogLog to get this fixed. This was just something that needed to be brought to attention before it got out of hand, with people automating the whole process, to ruin MyBlogLog.
Thanks,
Bradford Knowlton
http://www.seoadwords.com/
http://www.wig-dig.com/
While it’s definitely an annoyance, this recent exploit/spam attack does serve as a (backhanded at least) compliment to mybloglog’s ability to get targeted traffic to blogs. I just recently open a mybloglog account and already get quite a bit of traffic from it to my offshore outsourcing site and free online traffic generation blog. Mybloglog is huge. You get traffic just by visiting people’s community sites. You don’t even have to leave a message. People see your profile, get curious, and check out your page.
I received several Co-Author Invitation emails as well. I will blog about it to expose those shameless people.
Although, this should not be a long term problem as people are just discovering the bits of MBL waiting to be exploited.
Same here, up to 5 mails a day, while my blog isn’t even very popular or so, I wonder how they find the ones to spam.
Feel free to “re-use” my blog post on this hack, just be sure to give a link-back. I publish under a Creative Commons License.
[...] worked. The spammer has attached their website to a lot of popular bloggers communities. More from John Chow This morning, while I was checking my MyBlogLog community, I noticed that another site has [...]
Wow. That’s not good, I really like MyBlogLog. What did you do about it?
Everything has people exploiting features, MyBlogLog is no exception nor will anything ever be. I have received over 400 emails in the past two days from the site and it’s crazy - not to mention waking up this morning to be a co-author of 6 other sites.
That is what I don’t understand - attacking John, Shoemoney, etc makes sense for traffic, but not the little guys.
-Nick
Blogger Time Capsule - 100,000 User Goal!
Hello Nick,
I discovered the loophole late Saturday night. and I choose to add Shoemoney, John, Danny, Graywolf to my list for 1 reason. A) They are going to blog about it to people would find out it is happening, B) They are smart enough to just click remove and go on with life.
I didn’t have any connection with the Beligum people, and the only reason I did anything was to draw attention to the problem and get it fixed. Everyone I choose, the top 10 bloggers, might have readers at MyBlogLog or Yahoo who could get this fixed.
Lets hope it gets fixed,
Bradford Knowlton
http://www.wig-dig.com/
http://www.seoadwords.com/
[...] bloggers are talking about comment spam, author hacks, and other My Blog Log issues today - John Chow, Darren Rowse, Danny Sullivan. This is a huge issue for MBL - they better get into reputation [...]
[...] : it seems that there’s other people (famous people or the A-List Blogger such as Shoemoney, John Chow, Darren Rowse, and Danny Sullivan) that got the same problem like me too. And now i know that [...]
[...] John Chow and search guru Danny Sullivan have reported, they have been approached to become “co-authors” of [...]
[...] they’d been added as authors on blogs that they didn’t write on including ShoeMoney, John Chow, Danny Sullivan and Web Metrics Guru. Reading the comments on these blogs shows that many others [...]
John, I’ve noticed just by commenting on your blog for the first time a few days ago (before that, I was a lurker) that I’m getting a lot of comment spam on my blog now that I didn’t have before.
Akismet seems to be catching it for now. But I wonder if the MyBlogLog spam is spilling over into this blog and following those of us who comment.
Maybe it’s just coincidence.
Hey all — we’ve posted a long article on the MyBlogLog blog about what happened and what we’re doing in response. It’s long and involved enough that distilling it here isn’t going to be very useful. If you get a second, please have a look and let us know your thoughts. http://mybloglogb.typepad.com/my_weblog/2007/02/weekend_spamtac.html
[...] then discovered the exact same thing reported on Blogpond. Apparently both Jeremy Shoemaker and John Chow were affected and added to be the co-authors of that spammy community. If you [...]
[...] not the only problem, though - MyBlogLog has been reported to have some serious security flaws that allows random people to add their blog or site to your [...]
[...] John Chow and search guru Danny Sullivan have reported, they have been approached to become [...]
Some days before shoemoney put another one. thats MBL is tracking adsense and YPN also which they can allegedly sell to others