You’re a Mybloglog user? Then you probably have had to log in again to have your avatar reappear at the blogs you visit. Some hours ago MyblogLog changed the way they place an identifier cookie at your harddisk. The reason: it was all too obvious how to take over someone else’s identity. More than a month ago, my fellow Belgian eMich (Michaël Uyttersprot) had already posted how to do this (I summarize his French-language post):
- delete the following cookies for the mybloglog.com domain: (they’re the cookies that give you access to your account at mybloglog)
- mbl_user : login for mybloglog.com
- mbl_pass : a hash of your password
- mbl_rem : the “remember me?” value
- change this cookie to the identifier of the person you wish to impersonate – and here’s the trick: until yesterday, you could simply pick his or her ID from the avatar’s file name, so 2006030209452263 was my ID since my avatar is 2006030209452263_avatar.jpg.
- which means you could fool anyone into believing that Michael Arrington, Chris Pirillo or Steve Rubel had visited their blog (including yourself if you needed an ego boost ;-)
- since yesterday, this identifying cookie (you get it automatically by logging in and out of MyblogLog again) has a value that still starts with the old ID, but is three times as long (my cookie now is 2006030209452263bff46220b972135fdbc28eddfb92b8ec78e71002, so feel free to impersonate me :-) ). So far I haven’t seen a way to get hold of someone else’s identifier, and I guess the Mybloglog guys made it a lot harder this time….
BTW: there are several ways to edit cookies, but the Firefox Add N Edit Cookie Editor eMich used (click thumbnail above for screenshot) is really handy…
eMich/Michaël had notified Mybloglog about the flaw (in English! :-) [Update: see here]), but hadn’t heard of them since. The very same trick was revealed the day before yesterday by Shoemoney, a high-profile SEO blogger (he’s a conference speaker and has a weekly on Webmaster Radio). Shoemoney had posted several MyblogLog flaws/spamming tricks before (also see the extensive coverage by Andy Beard). The guys at MyblogLog lost their patience, banned his account, and patched their cookie system over the past few hours.
What is Mybloglog?
Mybloglog.com started as a visitor stats tracking package, but at the time they launched they were already lagging behind in features compared to other offerings (see e.g. these reviews). Then they had the absolutely brilliant idea of turning it in a decentralised social network for bloggers. Instead of using their collected data just to track the numbers of visitors, they could easily expose which blogger was visiting which blog. Which led to those fancy lists of recent visitors such as the one in the right nav bar of this blog [I took a screenshot for you RSS readers]. Quoting from their email last July:
“MyBlogLog now offers free communities for each site that uses our link tracking. We’re developing a number of cool widgets that you can integrate with your blog or site to help you encourage your readers to join your community. Once you have more than 10 members in your community, we’ll tell you which other sites are popular with them and what they’ve clicked on the web that you might not even know about yet. As your community grows, your understanding of your users will grow along with it.“
Visitor tracking across several sites used to cause public outcry over privacy issues (remember DoubleClick in the late nineties), but most bloggers just loved the idea of leaving a visible surfing trail and make other blog readers visit their own blog in return. Membership grew fast, and Mybloglog got acquired by Yahoo just half a year later. That acquisition caught the attention of … attention spammers, who had a really good time exploring the flaws of the system. So MyblogLog does make an effort to get most of those patched but still… It all is based on surfing behaviour and what can be easier than faking surfing behaviour?