Why you were logged out of MyblogLog last night

You’re a Mybloglog user? Then you probably have had to log in again to have your avatar reappear at the blogs you visit. Some hours ago MyblogLog changed the way they place an identifier cookie at your harddisk. The reason: it was all too obvious how to take over someone else’s identity. More than a month ago, my fellow Belgian eMich (Michaël Uyttersprot) had already posted how to do this (I summarize his French-language post):

  1. delete the following cookies for the mybloglog.com domain: (they’re the cookies that give you access to your account at mybloglog)
    1. mbl_user : login for mybloglog.com
    2. mbl_pass : a hash of your password
    3. mbl_rem : the “remember me?” value
  2. then there still is the mbl_sid cookie: this won’t let you access your account data, but it is sufficient to identify you to the mybloglog.com javascript snippet at the blogs you visit
  3. change this cookie to the identifier of the person you wish to impersonate – and here’s the trick: until yesterday, you could simply pick his or her ID from the avatar’s file name, so 2006030209452263 was my ID since my avatar is 2006030209452263_avatar.jpg.
  4. which means you could fool anyone into believing that Michael Arrington, Chris Pirillo or Steve Rubel had visited their blog (including yourself if you needed an ego boost ;-)
  5. since yesterday, this identifying cookie (you get it automatically by logging in and out of MyblogLog again) has a value that still starts with the old ID, but is three times as long (my cookie now is 2006030209452263bff46220b972135fdbc28eddfb92b8ec78e71002, so feel free to impersonate me :-) ). So far I haven’t seen a way to get hold of someone else’s identifier, and I guess the Mybloglog guys made it a lot harder this time….

BTW: there are several ways to edit cookies, but the Firefox Add N Edit Cookie Editor eMich used (click thumbnail above for screenshot) is really handy…

Mybloglog Reaction

eMich/Michaël had notified Mybloglog about the flaw (in English! :-) [Update: see here]), but hadn’t heard of them since. The very same trick was revealed the day before yesterday by Shoemoney, a high-profile SEO blogger (he’s a conference speaker and has a weekly on Webmaster Radio). Shoemoney had posted several MyblogLog flaws/spamming tricks before (also see the extensive coverage by Andy Beard). The guys at MyblogLog lost their patience, banned his account, and patched their cookie system over the past few hours.

What is Mybloglog?

2007-02-23_mybloglog.gifMybloglog.com started as a visitor stats tracking package, but at the time they launched they were already lagging behind in features compared to other offerings (see e.g. these reviews). Then they had the absolutely brilliant idea of turning it in a decentralised social network for bloggers. Instead of using their collected data just to track the numbers of visitors, they could easily expose which blogger was visiting which blog. Which led to those fancy lists of recent visitors such as the one in the right nav bar of this blog [I took a screenshot for you RSS readers]. Quoting from their email last July:

MyBlogLog now offers free communities for each site that uses our link tracking. We’re developing a number of cool widgets that you can integrate with your blog or site to help you encourage your readers to join your community. Once you have more than 10 members in your community, we’ll tell you which other sites are popular with them and what they’ve clicked on the web that you might not even know about yet. As your community grows, your understanding of your users will grow along with it.

Visitor tracking across several sites used to cause public outcry over privacy issues (remember DoubleClick in the late nineties), but most bloggers just loved the idea of leaving a visible surfing trail and make other blog readers visit their own blog in return. Membership grew fast, and Mybloglog got acquired by Yahoo just half a year later. That acquisition caught the attention of … attention spammers, who had a really good time exploring the flaws of the system. So MyblogLog does make an effort to get most of those patched but still… It all is based on surfing behaviour and what can be easier than faking surfing behaviour?

15 Responses to “Why you were logged out of MyblogLog last night”

  1. Eric Marcoullier Says:

    That is truly amazing and embarrassing that someone sent us details of this hack a month ago. I’ve checked my historical email (I receive all the incoming emails) and cannot find it, so it either got spam filtered or lost during my transition to a new laptop. Neither is really no excuse. As you may have heard, we’re hiring a community manager who will help ensure that this sort of oversight will not happen in the future.

  2. Last Words On MyBlogLog - ShoeMoney™ Says:

    [...] Also interesting to see this post in where a user pointed out all of these flaws over a month ago (yet he is not banned… amazing) (thanks raymond for the ping on that) [...]

  3. Pascal Says:

    Hi Eric, Michaël forwarded me the mail he sent (I of course obscured his personal mail address):

    —– Forwarded message from xxxxxx[at]emich.be —–
    Date: Tue, 16 Jan 2007 15:54:10 +0100
    From: xxxxxx[at]emich.be
    Reply-To: xxxxxx[at]emich.be
    Subject: Security issue…
    To: bugs[at]mybloglog.com

    Deleting mbl_user and mbl_pass and modifying mbl_sid (using the id
    found in an avatar filename) from cookies can make people fake someone
    is visiting their blog as I explained here (french):

    http://www.emich.be/fr/2007/01/16/comment_tricher_avec_mybloglog/

    Regards,
    Michaël Uyttersprot
    http://www.emich.be

    —– End forwarded message —–

  4. eMich Says:

    MyBlogLog hack, suite et fin……

    Si vous utilisez MyBlogLog, vous l’aurez certainement remarqué hier : vous avez été déconnecté. Raison de cette déconnexion est le fix d’un problème de sécurité que j’ai signalé il y a plus d’un mois par mail et qui a enfin été solution…

  5. MyBlogLog Bans Blogger; Backlash Begins Says:

    [...] The real funny thing is that the security hole Shoemoney blogged about had been discovered and posted publicly (in French language — translation here) over a month ago by eMich — yet as of this writing, that user hasn’t been banned. Founder Eric Marcoullier responded to this: That is truly amazing and embarrassing that someone sent us details of this hack a month ago. I’ve checked my historical email (I receive all the incoming emails) and cannot find it, so it either got spam filtered or lost during my transition to a new laptop. Neither is really no excuse. As you may have heard, we’re hiring a community manager who will help ensure that this sort of oversight will not happen in the future. [...]

  6. TechCrunch Japanese アーカイブ » MyBlogLogが著名ブロガーの出入りを禁止、高まる反発 Says:

    [...] おかしなことに、Shoemoneyがブログで紹介したセキュリティーホールは、eMichという人がすでに発見し1ヶ月以上も前に記事でこれを公にしていた(仏語。ここで翻訳できる)。なのに、この記事を書いている時点ではeMichは立ち入り禁止になっていないのだ、笑えるニュースである。ファウンダーのEric Marcoullierは今回の事態についてこう語っている。 1ヶ月前にハックの詳細が送られてきた時には愕然として頭にきた。いま履歴のメールを確かめてみたが(こちらに来たメールは全て着信している)見つからなかったので、スパムフィルターで弾かれたか、新品のラップトップに切り替えた際、紛失してしまったのだろう。いずれにせよ何の言い訳にもならないことだが。もう聞いたかもしれないが今ちょうどコミュニティ責任者の採用に向け動いている最中なので、採用になれば、こうした見落としが将来二度と起こらぬよう彼らが助けになってくれるだろう。 [...]

  7. Cleaning up the mess over at MyBlogLog » mathewingram.com/work Says:

    [...] Much has been written about the “Shoemoney Affair,” in which the blogger known as Shoemoney wrote about a MyBlogLog hack that allowed unscrupulous types to spoof their identities, and was subsequently banned from the service, despite the fact that — as Tony Hung pointed out at Deep Jive Interests — MyBlogLog didn’t have a terms of service agreement that said anything about banning people (it has since developed one). The banning also happened despite the fact that, as Eric Marcoullier of MBL admits here, someone else had posted something about the same exploit over a month earlier (although it was on a French blog, and therefore might have been missed). [...]

  8. Jonathan Brazil Says:

    I think that the banning of shoemoney was absolutely ridiculous. Also I am not alone, I know of many bloggers who are now boycotting the MyBlogLog service because of this case. In fairness, a problem was found with the service, details were published, discovered by the service providers and a patch put in place to stop it from happening again. That’s how all software works! Would the creators of MyBlogLog prefer if nobody mentioned the exploit and simply kept using it to increase the profile of their would-be readers? It’s just not the way a community should work in my opinion.

  9. Pascal Says:

    @Jonathan: I guess there are 2 sides of the story, as always. He had been asked not to send an email first before publishing more flaws, for example. Anyway he has been allowed in again, but you probably knew that already.

  10. MyBlogLog Problems and Recent Drama | Wordpress Tutorials And Blogging Tips Says:

    [...] MBL then changed the way their system works, effectively removing the loophole. However, they also banned Schoemaker and caused quite stir with the other bloggers, especially when they had earlier announced that all critiques / criticisms towards MBL should be laid out publicly. [...]

  11. Meer tips voor hoax-bouwers en Chinese dissidenten Says:

    [...] (meer uitleg hier) is daarbij nog een speciaal geval: vooral bloggers blijven graag ingelogd in Mybloglog, omdat ze [...]

  12. Everything is a Freaking DNS problem Says:

    Barcamp Gent , Web 2.0 rant slides now online…

  13. Browse je Mybloglog bloggers Netwerk | Weblog Pascal Van Hecke Says:

    [...] sociaal netwerk voor bloggers dat min of meer spontaan groeit door wederzijds sitebezoek, zie ook deze post [...]

  14. Stijn De Meyere's sken.be Says:

    Mobile Webcamp…

    Gisteren zat ik heel de dag op de eerste Belgische Mobile Webcamp hier in Hasselt. Een hele dag praten en nadenken, maar vooral luisteren naar presentaties, over het mobiele internet en de toekomst. En ook nog andere internet zaken.

    Ik heb heel wat …

  15. Daniel Craig Says:

    Hello, I was looking around for a while searching for internet security problems and I happened upon this site and your post regarding , I will definitely this to my internet security problems bookmarks!