MyBlogLog Open To Attacks

Some days before shoemoney put another one. thats MBL is tracking adsense and YPN also which they can allegedly sell to others

Hey all -- we've posted a long article on the MyBlogLog blog about what happened and what we're doing in response. It's long and involved enough that distilling it here isn't going to be very useful. If you get a second, please have a look and let us know your thoughts. http://mybloglogb.typepad.com/my_weblog/2007/02/we...

John, I've noticed just by commenting on your blog for the first time a few days ago (before that, I was a lurker) that I'm getting a lot of comment spam on my blog now that I didn't have before.

Akismet seems to be catching it for now. But I wonder if the MyBlogLog spam is spilling over into this blog and following those of us who comment.

Maybe it's just coincidence.

Everything has people exploiting features, MyBlogLog is no exception nor will anything ever be. I have received over 400 emails in the past two days from the site and it's crazy - not to mention waking up this morning to be a co-author of 6 other sites.

That is what I don't understand - attacking John, Shoemoney, etc makes sense for traffic, but not the little guys.

-Nick
Blogger Time Capsule - 100,000 User Goal!

Wow. That's not good, I really like MyBlogLog. What did you do about it?

I received several Co-Author Invitation emails as well. I will blog about it to expose those shameless people.

Although, this should not be a long term problem as people are just discovering the bits of MBL waiting to be exploited.

While it's definitely an annoyance, this recent exploit/spam attack does serve as a (backhanded at least) compliment to mybloglog's ability to get targeted traffic to blogs. I just recently open a mybloglog account and already get quite a bit of traffic from it to my offshore outsourcing site and free online traffic generation blog. Mybloglog is huge. You get traffic just by visiting people's community sites. You don't even have to leave a message. People see your profile, get curious, and check out your page.

Hello John,

Sorry for the targeting your awesome blog. I'm a regular reader, and only choose people to target which I knew might have connections inside of MyBlogLog to get this fixed. This was just something that needed to be brought to attention before it got out of hand, with people automating the whole process, to ruin MyBlogLog.

Thanks,
Bradford Knowlton
http://www.seoadwords.com/
http://www.wig-dig.com/

The exploit is probably because of A) There is a huge flaw in their verification code algorithm, or B) Some fool forgot to close off a database insert flaw, most likely because of the lack of string checks.

Most likely it is B. Most security flaws are caused by a lack of data checks.

Anyways, I'm getting pretty fed up with MyBlogLog as well. When I first joined a few weeks back it was fine, and about two weeks ago I noticed people with names like "FREEWINDOWSVISTA" visiting my profile. Stupid affiliate spam site people.

What they need to do is add in a user voting system, so if a site gets below a certain rating it is automatically put up for moderation. If the site is deemed to be a spam site it will be banned forever.

hmmm...I've been hearing a bit about this mybloglog lately. Mainly about exploits, but it seems to be picking up some pretty good steam. I'll give it a try.

I received a phishing email for co-ownership from that Belgium blog as well. It will be sad if mbl continues to deteriorate ;/

I know it's not the point, but it is pretty easy to remove the blog from your profile (see my latest post). It does highlight some issues though...

I had four emails last night from people inviting me to become authors of blog communities that I'd never heard of before - its quickly becoming a spam den over there :-(

Well thankfully my blog is so low traffic that I haven't been subject to anything like this ;)

Score one for flying under the radar!

This spam thing is becoming a big problem, not just limited to big communities but also small ones. As Mark pointed out regarding the Belgian site. Spammers always find a way out!

I received one over the weekend from a Belgium site that blogs about Zune. They were asking me to join the blog as a co-author. Considering I that it was a non-english blog and that I didn't know who it was, I just deleted the email. These Spam guys just find every loophole and spoil it for everyone don't they. Pretty sickening.

This is a real shame as MyBlogLog has so much potential, I've read various other stories similar to this about people finding exploits.

Wait a minute... When you were co-author, did you have any special admin powers?

My guess is that the person in question has multiple mybloglog accounts and he experimented with the add co-author feature to the point where he figured out how to write up the confirmation link that comes via email. It's possible that the email verification link is the weak point.

John, check your spam filter for a co-author request from his account.

Yeah, Yahoo needs to handle all these issues - Shoemoney also reported another MyBlogLog exploit a while back...

I think I know how he did it.

If you see mt blog show up on your list you will know ;)

I received a phishing style email from someone over the weekend wanting me to become a co-author of another blog. Except I'd neve heard of the blog and the person who was meant to be offering had never visited my profile on mybloglog.

I wonder how long it will take them to plug the holes that allowed you to become the owner of another blog?

Yep -- I accepted one invitation to a MyBlogLog community over the weekend (my first one), and was flooded with e-mail spam within 30 minutes. I quit the community and likely won't give MyBlogLog another chance...