MyBlogLog’s Stupid, Unsecured Widget Implementation: Widget and Browser-Based Web Application Security
January 12th, 2007 by Robert Yeager
The New Year has been a busy one for me, thanks to several new customers asking me to provide custom OpenLaszlo-powered Flash widget development. It has been exciting working with other new ventures in their early stages. I find it noteworthy that all my new customers are utilizing widgets for e-commerce purposes. E-commerce 2.0 via widgets seems to be gaining momentum!
I’ve been meaning to write this post since December about flaws in MyBlogLog’s widget…I suppose it is good that I didn’t, because I may have upset their recent $10MM acquisition by Yahoo!
Just about any web application developed in HTML/AJAX is inherently insecure. HTML has been bastardized since the dot-com boom to be an application development technology, which it never was intended to be. HTML is fine for presenting and navigating static text, as originally designed. But when you ask a standards-based thin-client technology to perform the task of running as an application technology, you are asking for trouble with regards to performance and security. This makes AJAX, riding on the back of HTML, an insecure foundation upon which to try to build Rich Internet Applications (RIA’s).
The crux of the problem comes down to scripting. Any browser-based web application can be fooled by scripting. Scripting allows hackers (or as I call myself when doing this, an experimenter) to create automated programs that perform the actions that a human performs within a browser, like editing text and clicking buttons.
eBay is always a favorite target for scripted bots. Every automated eBay snipe program is a scripted bot, b/c eBay has granted only one company that I know about (Unwired Buyer) access to their bidding API. eBay has taken immense efforts at surely a great expense to try to defeat scripted bots (notice how eBay’s URLs are now randomly generated when doing searches…but then please be sure to use Cooqy for all your eBay shopping!).
Fundamentally, eBay and other companies running HTML web applications and HTML widgets like MyBlogLog will never succeed in preventing scripted bot attacks. The standards-based browser and availability of browser source code like the Gecko engine give hackers (or experimenters) the power to emulate humans very effectively. Steps are continually being taken to defeat scripted bots (like those annoyingly hard-to-read letter and number images you are forced to re-enter to login to many websites)…but the problem will never entirely go away…that is the bane of trying to build a skyscraper on top of a fundamentally weak foundation originally intended to support a house.
MyBlogLog’s implementation is particularly amateurish with regards to security and the ability to spoof the reader roll widget. This TechCrunch article doesn’t begin to scratch the surface of the vulnerability. The article talks about the ease of spamming a single reader roll widget…but it is just as easy to spam all reader rolls on every blog containing the widget! That makes the MyBlogLog reader roll a fantastic advertising vehicle to drive traffic! Here’s how easy it is for hackers (or experimenters) to advertise on everybody’s MyBlogLog reader roll widget:
The first step is to create a MyBlogLog account and upload an avatar with the image to appear on every MyBlogLog widget. On the account’s home page, view the page source. MyBlogLog creates a “SID” (a unique identifier) for every user. The SID can be quickly spotted by looking at the avatar’s filename (hosted on Amazon’s S3 service). It will look like “2006113016423040″. It is simply a date and time that the MyBlogLog account was created.
The way the widget works, is that when a user signs into MyBlogLog, the SID is stored in a browser cookie. The widget simply reads the cookie and displays the avatar. This is done via a simple PHP REST-style transaction the widget performs when it loads (mybloglog.com/tr/urltrk.php). The PHP transaction parameters identifies the widget’s owner (another SID) and the viewer’s SID. So simply invoking a PHP REST transaction with the SID and the target widget’s SID is all that is needed to make an image appear at the top of the widget.
MyBlogLog makes it incredibly easy to mine everyone’s SID…all someone has to do is scrape the HTML contents of their member directory and parse out everyone’s SID. I can’t emphasize how stupid it is for MyBlogLog to have an entire directory of members and communities in a static HTML structure…this is inviting all types of attacks. Actually, I’ll go so far to say it is F@#king Stupid. I can’t believe Yahoo! coughed up $10MM for amateurs with only 35,000 member accounts, but oh well. Buyer beware.
Creating the scripted bot is trivially easy (well, for a programmer at least)…just write a program to iterate through the online member directory, read each member’s HTML page to extract the SID, then invoke the PHP REST transaction with your account’s SID…presto, you have a very effective marketing tool to get noticed on several thousand blogs. It won’t be long until teenagers have fun placing porno pics on everyone’s blogs. This works very well on blogs with slow traffic, where the image is likely to stay at the top of the widget for weeks on end. The majority of blogs don’t have much traffic, after all.
Unfortunately, MyBlogLog is not an isolated example. Web 2.0 companies rushing to build widgets and web applications with HTML and AJAX technology without considering security are all ripe for attacks. Even when security is taken into consideration, there is always the possibility of scripted bot attacks.
This is one reason why Cooqy’s widgets and RIA search engine are built with Flash as the runtime engine. As far as I know, there is no effective scripting mechanism that can be used to create script bots for Flash widgets and web applications. The recent announcement of Adobe to open-source portions of the Flash player may unfortunately open up the door to this in the future, however. But for now at least, Flash provides a fundamentally more secure and hack-proof (or experimentation-proof) foundation for building widgets and web apps.
OpenLaszlo-powered Flash applications are, I believe, the fastest and safest way to bring new widgets and web applications to market.
30 Responses to “MyBlogLog’s Stupid, Unsecured Widget Implementation: Widget and Browser-Based Web Application Security”
Leave a Reply
You must be logged in to post a comment.
Thanx, very interesting read indeed. Most of the technicalities are beyond my hearth. But that said I’m not sure I buy that something like MyBlogLog has to be all that secure. I lean towards wanting to see the ‘community’ respond to the evolving situation than have everything hard-coded and locked up. I’d like to see sociall networks be more responsive along the lines of how vandalism is dealt with in Wikipedia.
There is also Occam’s razor and all its wonderful subjectivity.
The issue with your argument is that “stupid and unsecured” in the lifecycle of a site like ours. If we hid the directory info at the beginning, our SEO would have suffered tremendously. We bring bloggers a lot of traffic via our high placement in the search engines.
We are getting to the point where we need to outgrow that kind of approach, but you would have never heard of us had we not started without it.
Thankyou for the review. I hope I’m not ‘F@#king Stupid’ for using Mybloglog, if i am and do start to get teenagers have fun placing porno pics on my site, I will remove the code :( .. all the technicalities are quite beyond me as well~
Scott,
I don’t agree that the ends justify the means. Your success is predicated on exposing the MyBlogLog user base to all types of attacks. I mean really, your system is WIDE OPEN. I’m surprised it passed the muster of Yahoo!’s technical due diligence.
For example, someone could write a bot that hijacks your own avatar and posts messages to people in the community. I don’t advocate that, but someone who wanted to do this has no barriers in their way. They just need to know your SID is 2006041816590175, take a peek at the message post logic, and away they go.
It is not very different from the early days of MySpace (or other Web 2.0 communities) where spammers and bots take over, followed by the cat-and-mouse game of trying to plug all the holes open to scripted bot attacks. HTML technology makes for lousy and unsecured communities.
You and I know that SEO is the underlying reason for the static HTML directory structure, but innocent bloggers are oblivious to the danger exposed to them by joining the MyBlogLog network.
My blog article is intended to be a heads up to all people using new Web 2.0 services and widgets that shortcuts are taken for the sake of quick market entry…so beware of the consequences. I could have just as easily picked on YouTube or any other community-based website.
I remain a huge fan of MyBlogLog…it is a great concept, but flawed with regards to security. You deserve your success…I wish you well and hope my article opens everyone’s eyes to the issue.
The main point of my article, however, is to lay the groundwork for my upcoming new venture… :-)
Robert Yeager
All things considered, there is no bad publicity. I wonder how many new users this story has generated for them? Perhaps a negative story is the best thing that could happen for them.
Fixing the problem BEFORE=inperceptable site update.
Fixing the problem AFTER=saving the day.
Jason,
I don’t wish MyBlogLog any ill will…that wasn’t the intention of my article. It’s more of an industry-wide problem.
I did want to open everyone’s eyes to a technical issue that nontechnical bloggers would otherwise be unaware of when joining the MyBlogLog network.
Certainly, internet startups want to get to market fast and cheap…in case the idea doesn’t fly, minimize the loss.
But in choosing technology, relying on HTML-based websites for communities is just asking for trouble.
Robert
Cooq,
I wondered how it was you appeared on the top of MYBLOGLOG today and I think your article explains it. If I were drawn to your site for any other reason than your expose on this widget vulnearbility I might be displeased. But a cautionary tale by a Cooqy-scripted SpamBot? Well I do love irony.
Gregg
Like I mention in my response to Scott, you can’t be for certain that the messages you receive from others are really from a human or not, or even if someone is impersonating someone else’s (or your!) identity.
How’s that for some sobering thoughts about MyBlogLog?
Hum!!!! Quite interesting discussion. What I find very cute is that fact that you are a member of MybloLog Cooq aren’t you???
Soooo!!! Ulterior motives??? something to gain??? probably…
Thanks for visiting me and keep up the good “work”. Of course you have something there… (and I hope that you don’t take yourself too seriously!!)
I try not to take myself too seriously. :-)
Yes, I think the gaping holes in MyBlogLog’s technology provides an opportunity for someone to fix and improve upon.
Like I’ve mentioned before, I’m a huge fan of MyBlogLog’s concept.
I hear you, but the entire blogging world is the same. Much of what you suggest is true of every blog comment system. I’m not saying we’re any better [yet!], but our system is such that we can fix and are fixing these things before “real” traffic is at stake. What you are basically saying, I agree with: MyBlogLog is not a secure identity system. We’ve gone to great pains to express that to people, and most are ok with it. The ones we need to protect are the folks who don’t care what an identity system is. Until we do that, we’ll make sure that any “vulnerabilities” we cause have minimal side effects.
To your other point, SEO is a double-edged sword. I can’t sit here and apologize for existing. With a less transparent (and from your point of view, unsecure) system, we wouldn’t exist. It’s always the way — great technology is too expensive an loses. A great concept, executed minimally, takes the day in the face of technologically superior competitors.
We share the traffic nicely with the bloggers who use the system, so they benefit along side us. We wouldn’t have reached a critical mass of community in any other way. We’re working hard to put features in place that preserve that benefit for the white- (and light gray-) hatted SEO types and that make us unattractive to anyone more aggressive. We will get it wrong for a while, but going completely dark from the search engine crawler’s point of view is not the solution either.
DRAT! You TOLD! You TURNCOAT!
Just when I was going to make with the whole mybloglog domination tactic!
:)
::saunters off to try and find something else to exploit to the unknowing masses::
So, MyBlogLog is still safe to use though…. right? Did I miss something?
LOL
If you are so displeased with the level of security of the product, why do you continue to use it on your site? Could it be that you still appreciate the traffic it’s pulling in for you?
If you’re going to go off about the security of an application, at least stop using it and lead by example or contact Yahoo in hopes to convince them to investigate the security of the application first.
Why would I be displeased? Nowhere do I say that I am displeased with MyBlogLog’s concept.
I just decided to give everyone in the community a heads-up to the problems, after seeing many suspicious avatars floating around on many low-traffic blogs with the reader roll.
Yes, it’s safe. The only issue is that people can keep an avatar on your site via our widget longer than most people (including us) would like. We’re working to relieve the situation.
Per the identity issue that Cooqy brings up, all that’s necessary is to use the normal for online communication. Avoid disclosing credit card numbers, etc., unless you are on a secure site. We are not a secure site from a financial transactions perspective.
The only time any payment information should be given in connection with our site is when we redirect you to a paypal.com web address for MyBlogLog Pro.
Hi,
I really liked what you had to say. Thanks for the education. Speaking of which, with your knowledge, you might like to be involved with make a networking tool to help peeps get what they need to succeed. That’s what Creativity Cafe is all about! The networking tool is part of the Venue operating system we are designing~ Best, MauiMacMan
[…] Blog Cooqyego powiedział mi dzisiaj, że każda aplikacja oparta na AJAXie jest pełna dziur i potencjalnie niebezpieczna. Oczywiście Cookqy ma rację bo xhtml jest językiem mającym przedstawiać statyczną treść (z założenia). Dobrym przykładem na potwierdzenie tezy Cooqego jest skrypt znany jako “Sammy is my hero” napisany przez 16-18 latka w celu czysto geekowym ;) - by pokazać, że potrafi złamać zabezpieczenia MySpace, co prawda nie przewidział, że w ciągu doby jego kod dotrze do ~1M użytkowników. […]
a CC of the comment I left on your MyBlogLog page:
————————–
Now that the widget spam issue is well documented, how about you turn off your script? I’ve not taken any action on your account because it appeared you were trying to be constructive. That appearance is diminishing. I’m sending this message publicly so no one is unclear on what’s going on. I’ll repeat it in your blog comments.
Hmmm, do you pull similar stunts with ebay tech?
[…] Just a little Cooqy » Blog Archive » MyBlogLog’s Stupid, Unsecured Widget Implementation: Widget and Browser-Based Web Application Security […]
Andre,
I am opening everybody’s eyes to a problem average bloggers would be unaware that is happening.
I have seen many suspicious avatars and comments on MyBlogLog, where those people seemed to be on too many reader rolls over and over.
As I dug around, I saw that MyBlogLog was probably being gamed by these people. I haven’t pointed out these suspicious people by name, b/c I have no proof.
I do enjoy a bit of theatrics to raise attention.
Cooq…
I love how you have turned up the heat on this. I think we all are naive about web security and blog safety. I heard one of the founders of WordPress ona podcast over the weekend talking about howhe thought web spam would be THE issue in 5 years not email.
This guy is up to something as well pinging MyBlogLog contacts. http://www.webmasterwords.com/
Would you be open to a brief phone interview on the subject for my blog?
Sincerely,
GREGG
Hi Gregg,
I’ve been trying to contact you via your hotmail address.
Yes, I’m interested in talking.
Robert
ryeager@cooqy.com
I run fairly ignorantly along the lines of something like this. Thanks for the info. I have enjoyed finding many different blogs that I wouldn’t have noticed before MyBlogLog.
Hope this doesn’t prove to be a problem for me.
FYI: based on a comment at your profile at MBL you were discussing how cooqy looks like coogy to many. I guess it’s just going to be one of those things that people read correctly or don’t. I didn’t give it a second thought…it just read as cooqy to me. So maybe visitors will be 50/50
<strong>My Blog Log…</strong>
Just came across a couple of interesting posts about MyBlogLog. First by Lucy Lou talking about the community aspect and it’s potential decline if people start to take advantage of it for marketing purposes. The second about Widget security and …
ryeager, fair enough, the question I don’t see answered is to what extent you gammed the system?
I agree that this is an important issue, still not convinced about armourplated security for all contexts but in retrospect perhaps my initial response, and vague antagonism to you was unfounded/innapropriate in which case I appologise.
Theatrics sure have their place :-)
Nice Post.
That was well said. Always appreciate your indepth views. Keep up the great work!
John
[…] If you have been a MyBlogLog member since its early days, you know how nicely spammers abused it and how MyBlogLog folks tried to hide their sin by banning some people. Later, Shoemoney […]