Articles tagged in mybloglog

  1. MyBlogLog's Co-Author Exploit

    Got an email from MyBlogLog about 2 days ago.

    Hi ScottYang,

    I would like to add you as a co-author of my MyBlogLog community below:

    Blog/Site: Blogmemes Belgium (http://www.blogmemes.be)
    MyBlogLog community: http://www.mybloglog.com/buzz/community/Blogmemes_Belgium/

    Your MUST click on the link below to accept this request:

    <Link Deleted>

    Thanks,
    Blogmemes_Belgium

    Instead of clicking on the link, I went straight to its community site on MyBlogLog. And there we have it -- a blogsite with hundreds of co-authors. I then went to the actual website, which turns out to be a Digg-like social bookmarking site in Belgian. It just sounds too fishy and too spammy. So I gave it a miss. After all it wasn't the first time MyBlogLog got spammed.

    I then discovered the exact same thing reported on Blogpond. Apparently both Jeremy Shoemaker and John Chow were affected and added to be the co-authors of that spammy community. If you "accidentally" become the co-author of a particular community, you will also receive emails whenever someone commented on that community. End result? Lots of unwanted emails!

    The exploit is commonly known as Cross Site Scripting (XSS). Malicious hacker can craft a fishy URL and tempt you to click on, and as an already authenticated user of a certain web-service, that link will execute something on your behalf without your confirmation nor intervention.

    These are my immediate reactions (which I posted on Blogpond).

    1. Even Chow and Shoemaker fall for the fishing links -- it is that easy!
    2. Cross site scripting is a major problem on MyBlogLog.

    I actually don't find Chow and Shoemaker clicking on the links that surprising. If you are an Internet user, you shouldn't be too scared clicking on links, because of our implicit trust on established websites whom we have authenticated with. Because of trust we are not paranoid and running a browser without cookie and without Javascript. Because of trust the "Web 2.0" can be what it is today. We are trusting MyBlogLog here (though implicitly), believing that it will be free from XSS and no malicious hacker can steal my identity to perform operations on our accounts. Well, there goes my trust.

    While MyBlogLog claimed the hole has been fixed, it does make you wonder, how many other holes are there? Especially with MyBlogLog's track history, sometimes you just cannot be sure whether all vulnerabilities have been patched. Combating XSS is never easy, and many applications have to sacrifice convenience for the sake of security. WordPress switched to nonce back in 2.03, and MBL might want to think about something similar as well. Or force all state-changing operations on POST requests only. Or require re-authentication on all stat-changing operations.

    Meanwhile, I will just make sure I always log out and clean up my MyBlogLog's domain and path cookies. But then that pretty renders MBL useless, isn't it, as it can no longer track which member visited what community.

    I was on a positive tune when I took MyBlogLog for another spin earlier this month. I am back to being critical again here, and finding myself returning to square one, arguing whether MBL is actually a good fit for my blogs.

    Update: It appears that logging out MyBlogLog only logs you out the admin interface, but a cookie is still there to track you on other blogs (which you need to explicitly clear). I think it is actually a good idea, and everyone should log off when they are not maintaining their profile on MBL -- it will only to track you even when you have logged out, and it reduces the possibility of XSS exploits.

  2. Another Look on MyBlogLog

    MyBlogLog Logo I did blogged about MyBlogLog back in October, didn't I?

    Quite a few things happening afterwards. A few days after my previous "short review", I actually deleted my account there, because I just cannot stand their aggressive tracking script that "rings home" whenever someone clicks on some links. I guess that is why they are called MyBlogLog -- but I wasn't there for the statistics, but just want to build a community of readers of my sites.

    Anyway. Then they were bought by Yahoo! early last month. Well done man!

    So at the end of January, I applied for an account again. Lucky I got my old URL back, and was able to claim back all my sites as communities. Phew. Since the actually quite enjoyed what MyBlogLog can offer to my sites. The best feature gotta to be the Communities -- you get to see what other bloggers are reading your sites and build contacts. You also get to see who else are reading the same blogs that you are reading.

    There are still many issues -- some are publicly acknowledged, and some are just my personal gripe.

    • Spams -- just search Google, and you'll see how severe it is. Every now and then there will be people I've never heard wanting me to join his/her community or adding him/her as my contacts. Then there's also comment spam issue. There are many "popular looking" profiles up there, but how many are their real contacts? Don't know.
    • Stats Javascript -- still one of my biggest issue. The "widget" that you added on your website adds itself to quite a few "events". Well, they are necessary to track things like most popular links. However I don't want need site stats. AWstats from the server log is good enough for me, and I would like to track just the readers. Too bad you can't turn part of the tracking off.
    • Add a Blog/Site -- I was shocked how easy it is to claim a blog/site. Put in the URL, some description, click on a button, and it is yours! That makes Technorati and Google Webmaster Tools' claiming process way too complicated. Now let me see whether I can claim Google or Yahoo...
    • Lacks of Social Networking Features -- I guess at the end it was the social networking aspect that drove me to MyBlogLog (I've stated that I don't use the statistics). Now they have all member profiles, all the relations, etc, they ought to add more social networking functionalities on top. My secondary contacts? Find me someone in the system who shares more than 3 communities with me? Recommended communities from my current contacts? Etc...
    • User interface -- okay. It works. Just not pretty. Even Yahoo!'s homepage looks prettier.
    • Lack of Feed Integration -- it does not help when the majority of your "protential community members" are actually reading your blogs through RSS/Atom feeds. At least it is true in my case. I am reading through 300+ items in around 100 feeds everyday, but I rarely go down to the website unless I feel a need to comment. The end result is, I am hardly in any MyBlogLog community.

    Well. That's it for me. Still, it is a innovative service, and has been endorsed by the bloggers as it helps to build communities around our soapboxes. I am surprised that there hasn't yet been an imitation with all the short-comings already solved (then again I don't really read TechCrunch). But now with Yahoo's money and resource, we'll hopefully see more speedy development from these guys.

  3. MyBlogLog, Social Network for Bloggers

    MyBlogLog, the site that binds bloggers and their readers together. It's basically a social networking site where you can create profiles, edit contacts, etc. What's unique is its integration with Javascript based traffic logger, which enables bloggers or webmasters to see which MyBlogLog member is visiting his/her site. These statistics then enables forming of communities, i.e. readers who share common sites. Very cool indeed, but privacy might be an issue. I've signed up regardless.