MyBlogLog's Co-Author Exploit

Got an email from MyBlogLog about 2 days ago.

Hi ScottYang,

I would like to add you as a co-author of my MyBlogLog community below:

Blog/Site: Blogmemes Belgium (http://www.blogmemes.be)
MyBlogLog community: http://www.mybloglog.com/buzz/community/Blogmemes_Belgium/

Your MUST click on the link below to accept this request:

<Link Deleted>

Thanks,
Blogmemes_Belgium

Instead of clicking on the link, I went straight to its community site on MyBlogLog. And there we have it -- a blogsite with hundreds of co-authors. I then went to the actual website, which turns out to be a Digg-like social bookmarking site in Belgian. It just sounds too fishy and too spammy. So I gave it a miss. After all it wasn't the first time MyBlogLog got spammed.

I then discovered the exact same thing reported on Blogpond. Apparently both Jeremy Shoemaker and John Chow were affected and added to be the co-authors of that spammy community. If you "accidentally" become the co-author of a particular community, you will also receive emails whenever someone commented on that community. End result? Lots of unwanted emails!

The exploit is commonly known as Cross Site Scripting (XSS). Malicious hacker can craft a fishy URL and tempt you to click on, and as an already authenticated user of a certain web-service, that link will execute something on your behalf without your confirmation nor intervention.

These are my immediate reactions (which I posted on Blogpond).

  1. Even Chow and Shoemaker fall for the fishing links -- it is that easy!
  2. Cross site scripting is a major problem on MyBlogLog.

I actually don't find Chow and Shoemaker clicking on the links that surprising. If you are an Internet user, you shouldn't be too scared clicking on links, because of our implicit trust on established websites whom we have authenticated with. Because of trust we are not paranoid and running a browser without cookie and without Javascript. Because of trust the "Web 2.0" can be what it is today. We are trusting MyBlogLog here (though implicitly), believing that it will be free from XSS and no malicious hacker can steal my identity to perform operations on our accounts. Well, there goes my trust.

While MyBlogLog claimed the hole has been fixed, it does make you wonder, how many other holes are there? Especially with MyBlogLog's track history, sometimes you just cannot be sure whether all vulnerabilities have been patched. Combating XSS is never easy, and many applications have to sacrifice convenience for the sake of security. WordPress switched to nonce back in 2.03, and MBL might want to think about something similar as well. Or force all state-changing operations on POST requests only. Or require re-authentication on all stat-changing operations.

Meanwhile, I will just make sure I always log out and clean up my MyBlogLog's domain and path cookies. But then that pretty renders MBL useless, isn't it, as it can no longer track which member visited what community.

I was on a positive tune when I took MyBlogLog for another spin earlier this month. I am back to being critical again here, and finding myself returning to square one, arguing whether MBL is actually a good fit for my blogs.

Update: It appears that logging out MyBlogLog only logs you out the admin interface, but a cookie is still there to track you on other blogs (which you need to explicitly clear). I think it is actually a good idea, and everyone should log off when they are not maintaining their profile on MBL -- it will only to track you even when you have logged out, and it reduces the possibility of XSS exploits.